My Facebook account was hacked and it was a tiring and frustrating process to get it back

  • I was hacked in January 27, 2023 and after a long and tedious process, recovered my Facebook account nine days later
  • Why was my Facebook account hacked? There are a few reasons why I think my account was compromised
  • Having experienced it, being hacked is a frustrating and emotionally draining ordeal
  • The steps I took to ensure my account security after successfully recovering my Facebook account and suggestions for others who are going through the same

January 27, 2023, Friday, around 8 AM - I was just browsing the internet at work and looking at my phone from time to time. Like most people who own a smartphone, opening your screen during idle moments is already an ingrained habit. I opened my Facebook app and noticed that I was logged out, and my profile picture was replaced with a black image with white Arabic text. I did not initiate these actions.

Then it dawned on me - I was hacked. It was the last thing I expected. I could not log in again with the usual password.

I lost access to that Facebook profile and the Instagram account connected to it. 

I excused myself from work that day and immediately went home to check my laptop where most of my accounts were connected. My hunch was right - I received an email from Facebook that an unfamiliar email address has accessed my account and changed all my details.

I changed my bank account and PayPal passwords that were linked to that account.

Good thing that I had a burner account that I only used to manage my pages. I immediately sent a message to a friend that my main account was hacked. She checked my profile and the hacker managed to post a story: 

I learned that a common tactic of hackers is to post images clearly violating community standards to get your profile flagged by Facebook.

The morning passed in a panicked blur. I managed to use all the hacking reporting features of Facebook. I reverted my e-mail back to an address that I can access. However, I faced another roadblock. The hacker must have enabled two-factor authentication on their side, and I can no longer log in since I can’t receive the login code on my phone. 

But since I reported the hacking, my account was temporarily locked. It was a safety feature to ensure that it can’t be used.

I reported the hacking and removed the hacker's e-mail on my account.

There was another option - I clicked on “Need another way to authenticate?” and in this option, I had to provide a valid email address and submit a valid ID. In this process, you have to take a picture of the ID with the camera of the device you are using (uploading of scanned IDs is not an option). I had difficulty taking a picture of my ID with the low quality webcam of my laptop. It would take 24-48 hours before Facebook would respond.

After a couple of days, the only automated response from Facebook was that my ID was not accepted as it wasn’t readable. I had to go through the same process again, but this time I used a different valid ID and went through the process on my phone. The camera on my phone was a bit better than my blurry webcam. I only had to wait.

But the waiting wasn’t a very relaxing time for me. I scoured reddit threads, read articles, and tried to find information from people who had the same experience. Though I had deactivated that account many times in different periods, there were still more than ten years worth of photos and memories stored in that profile.

Aside from the personal information, I also manage several pages such as Malditang Librarian, PH Library News, and Real Iloilo. I used that account to run ads for certain brand campaigns. My PayPal was connected to it, and it was scary that it might be used for other purposes.

(Almost) Recovering my Account

Finally, I received an e-mail from Facebook that my ID has been verified. Since I could not log in with 2FA as the hacker enabled it, Facebook sent a special code to use as a password to bypass the step that required it. I used it and successfully got back in!

But not so fast.

Here, I faced another challenge. Since the hacker posted images of terrorists on my story and wall, I was flagged for violating community standards against content on terrorism. Just when I thought the problem was solved, I could not log in again. I had to try to repeal it and went through another verification process where I had to upload the same valid ID.

I felt like I was going around in circles. The process was all automated, it's not like you can just call a number and get the issue sorted. I already uploaded a valid ID, why upload again? I had already reported I was hacked, and those posts were posted after the e-mail changed.

But I tried again. From the experiences of others, sometimes they had to go through the process many times before they got their account back. 

While writing this, I also learned that this was a common tactic. The hackers would post content that clearly violated rules against terrorism or sexual content. I’m not sure if the hacker was connected to terrorist groups, but these were the images: 

Then on February 1, 2023, I unexpectedly received a notification on Instagram that my account has been reinstated after being wrongly disabled. It was the same account connected to that profile. There was a glimmer of hope - if my Instagram was back, then there was a chance that my Facebook account would be.

My Instagram connected to the hacked account was retrieved - 
giving me hope that I might recover my account after all

Successfully recovering my hacked Facebook account

February 4, 2023, Saturday morning - I received another e-mail that my ID was verified. A login link and a temporary password was given again. My hands were shaking and my heartbeat was getting faster. This was almost driving me to panic mode since I might be wasting another effort to get back in. What if I will only repeat the frustrating process again? 

I disabled the two-factor authentication and successfully got back into my account. I immediately checked my pages. 

The hacker had connected my account to several pages and was running advertisements with it. Since Facebook flagged it as suspicious activity, I was also banned from running ads.

My hunch is that it was what the hackers were after - my ad account and the payment channels connected to it.

Why was my Facebook account hacked?

Before I criticize Meta and Facebook, I admit that I also had failures on my part to secure my account. Before it happened to me, I had a false sense of security. There were things I could have done better.

I have not changed my password for years. I also used the same password for several other online accounts.

My two-factor authentication was weak. I should have added more security options. 

In Facebook, there are several ways to enable 2FA. You could have an OTP sent to your mobile number, login codes from an authenticator app (I used Google Authenticator), recovery codes, or a physical security key. After I logged back in, I changed my passwords and enabled more security features.

I might have been a target since I was running several pages, and I had an active ad account.

However, I wasn’t satisfied with Meta’s system. I understand that automated processes are necessary, but I found myself repeating the same verification processes again and again. 

Then maybe, I could have been a victim of a data breach. A few days after I was hacked, the Iloilo City Government page was also hacked along with many other profiles. As of this writing, the Iloilo City page has not been recovered and the hacker still posts pointless content.

But after a day of getting back my account, I still could not feel relaxed. I was anxious that I might click the wrong button, or accidentally open a link. I was happy to get that account back, but I don’t feel like I can use that account safely anymore. I turned on all security settings I could and edited the admin roles on my pages. Then I deactivated that account.

I am not sure when I will be logging in again. I’m no stranger to deactivation, I’ve done it several times before. I would deactivate my account for months when I’m really busy working on something. I deactivated way back in 2014-15 while studying for the board exam. When I was writing my Master’s thesis, I was gone for almost a year. I also deactivated sometime in 2020-21, back in the worst of the COVID-19 lockdowns when all the news sources and posts were just talking about the pandemic.

Tips to prevent Facebook hacking from my experience

From my experience in being hacked, here are things I should have done. But since it already happened, I just won't waste time regretting but just do what I can now to secure my account and prevent future hacking.

  • Utilize all security options. We always get notifications about updating our security settings, especially passwords and enabling two-factor authentication. I ignored these messages and trusted that my account was safe anyway. This experience reminded me that I am not immune to hacking no matter how much I think that I am tech-savvy. It could happen to anyone at any time, so it's better to be prepared, be vigilant, and be careful.
  • Change passwords regularly or use a Password Manager. I recently downloaded BitWarden, an encrypted password manager. My old habit was to use the same e-mail and password on many online accounts. This will not work at this time anymore as hackers are getting more sophisticated. What I like about BitWarden is it generates strong passwords and stores them safely.
  • Have a backup plan. Since I was managing several pages that were vital for my blogging and work as a content creator, I cannot afford to lose access to my pages. If my one account as admin gets hacked again, then those pages I worked so hard on would just disappear because of malicious hackers. I added my sister as an admin to my most followed pages. It’s also good to add another person you trust as admin to pages in case of whatever happens to your page. You might think you are safe, but it's better to plan for the worst case scenario.
  • Don’t be too dependent on social media. I always say that content creators shouldn’t just rely on social media platforms, since they are unpredictable and you don’t know when you will be hacked or disabled. Since social media networks are still owned by private companies for profit, they still make the rules. When it comes to information and photos, it’s better to also have your own copy and not just rely on social media to store them for you.

    I realized that I was getting more dependent on social media, just opening it without thinking when I’m free. I consume more content than create content. I realized I should seek out other more meaningful activities rather than just rely on social media for entertainment. All that idle time scrolling through a feed, I could have done something better.
  • Always be updated and informed about security issues. As a social media user and content creator, I know that it is my responsibility as well to be informed about updates and community rules/standards. While we can’t totally stop hackers, we can also do our part to protect ourselves from malicious people who only want to do harm.

It felt very frustrating when I was hacked. I felt powerless, and berated myself for being an idiot when it came to security basics. I had thought that it would never happen to me. Then I realized, this illusion of security is what the hackers want.

While social media has numerous disadvantages, it is also a way to connect with others, like relatives or friends who might live farther away. Work now wouldn’t function without social media. Losing access to that account feels like losing a vital part of daily life. 

I deactivated that account, and now only maintain another account for work and important relationships. My friends list is down to forty people - my immediate family, colleagues, and important business contacts. I realized I didn’t need a fat friends list of people I barely know anyway.

While frustrating, this experience has also been a wake up call. I admit that sometimes I only post for the feeling of validation, the quick feeling of happiness when people react to my posts. I should have used that time creating meaningful content. I should have used that time more creatively. 

I will be writing and creating more content on this topic to help other victims.

Post a Comment