On Thursday 9th December at around 12.40am, I couldn’t log in to my personal Facebook account on my mobile. I googled for “Facebook outage” but there was none.
At 1.09am, my friend texted me:
Here’s a close-up of the display pic the hackers changed to:
I tried to log into my Facebook account. But a message said that I was too young to be on Facebook. The hackers changed my age on Facebook. Facebook asked me to send them a photo of my ID (this is a legit Facebook way of identification although I can see many forms of abuses here). I had no choice but to send Facebook a photo of my passport.
I went to sleep and in the morning, I received an email from Facebook that they had unlocked my account. Great.
I tried to log in but immediately I was banned again. FB said that I posted child pornography.
So I needed to restart the entire process of sending in my ID. I did that again.
At the same time, I replied the email telling them of my situation because the email said that “if you have any problems logging in, please let us know.” But they did not respond.
On Friday 10 Dec at about 1am, I was checking my bank account and discovered that the hackers had used about $726 from my account.
My personal Facebook account is linked to my Rubbish Eat Rubbish Grow Facebook page and Instagram page. Sometimes I promote posts and require to pay Facebook using my debit card. The hackers must have used my card information to pay for something.
Later when I finally regained my facebook account, I knew what they paid for. They added me as an advertiser to a facebook page called Clarky Cover (run by Vietnamese. I reported the page already, so it is now down).
Upon seeing my bank account, I immediately called DBS hotline (1800 111 1111) and told them about it. Alin was the person in charge. She immediately cut off my compromised card but she couldn’t stop the transaction. She said that the bank would raise a dispute with Facebook which will take 60 days and in the meanwhile, the bank will credit me the $725 first within 7 working days. This was reassuring. However, why wasn’t I notify of this transaction? Why didn’t DBS and Facebook do the two-factor authentication?
Then I also filled in a Facebook form to report the fraud. I haven’t heard from them yet.
Because it was the weekend, I waited for a while for Facebook to respond.
Eventually, Facebook rejected my application to access to my own account. My account is now disabled permanently. Because my personal Facebook account is tied to my RERG page and Instagram account, it means that I cannot access them too.
In addition, the hackers started fake accounts that look like mine.
I had no one to turn to at Facebook. Everything is automated, forms are automated, replies are automated. I need a human being to speak to to solve my issue.
On 14th Dec Tue, I asked my friends for help, “Do you know anyone working for Facebook? I need to speak to somebody.” When I asked for help, many people responded that this is a common problem. Some friends do know Facebook people but somehow they are afraid to approach them for help. But a startling number of people don’t know any Facebook workers; this was very surprising to me since the friends I asked for help work in Google, TikTok, digital marketing, media agencies, etc.
Finally three friends responded; they had friends working at Facebook. This is going to sound like a fairy tale where the first little goat crossed the bridge, the second goat crossed the bridge, the third goat crossed the bridge. I’m going to name the Facebook staff #1, #2, and #3.
The #1 Facebook guy said to my friend A, “Oh so sorry to hear this. I’ll look into it.” But he didn’t ask for any of my details, how was he going to look into it?
The #2 and #3 Facebook staff helped a lot. They asked me for some info and they submitted a ticket. Because they submitted a ticket, I got an email within 48 hours and was able to activate my facebook again.
TL;DR version: The hackers did a really thorough job. They posted ISIS banner as my display pic and child pornography to close my private account permanently, preventing access to my RERG Facebook page and Instagram. They sent $725 on Facebook using my card and then created several fake ig accounts. They did everything to prevent me from getting my account back. Facebook AI on the other hand did nothing to prevent the hacking and nothing to help the users. There are many forms to fill but they are all automated and couldn’t solve the issue. You have to reach out to your network or friends working in Facebook to truly help.
What Did You Do Wrongly?
One of the most patronising and triggering advice I received was: did you set an easy password?
I’m in the digital business for more than 10 years and these people aren’t even related to digital. To answer the question: NO. My password was a mixture of big and small caps, letters and numbers in random position. For example: it’s not XYZ123 but more like X6Yb7n1.
Stop victim blaming. Stop gaslighting. It’s never the hackee’s fault. Asking if I used an easy password is similar to asking a woman if she was dressed scantily (ok, not really, sexual assault is way more serious). Stop this nonsense. It’s always the active perpetrator’s fault.
Strangely, a few days before the hacking, I had a nagging feeling to change my password. But I was too lazy. Lesson learnt: always act on your instincts.
I also didn’t click on any weird links and websites. I didn’t download any apps recently. I didn’t give permission for any app to get info from facebook.
I did everything right except one thing. I didn’t set up two-factor authentication for Facebook. I should have done it.
TL;DR version: if you can’t help others, keep your patronising 20/20 hindsight noob advice to yourself.
What to do when your Facebook is hacked?
This is what I learned:
1. Secure your account after it has been hacked. Get into your Facebook and then change your password. Check out the tips here. Facebook will have guided steps for you to secure your account. GO THROUGH THE STEPS VERY CAREFULLY.
For example, FB will ask if you didn’t add any of your friends. I didn’t add her!
I suspect that the hacker added her as my friend, and she added me to the FB Page, Clarky Cover, which used my account to advertise the page.
2. Although the FB’s guided list to secure your facebook account is quite thorough, they miss out on two things: (a) check your app (go to FB Setting>app). Delete any strange apps you install recently. (b) If you manage a FB page, check under the pages you manage. This is how I knew that I was added to Clarky Cover as an admin. Go to the page and remove yourself as an admin.
3. Set up two-factor authentication on facebook.
4. Delete all facebook-related apps on your phone, including facebook app, facebook business suite, and messenger. Use only your computer to secure your account first. Once your account is secured, then reinstall the apps and log in. This is because some reporting functions don’t work on apps, which will cause a miscommunication between you and facebook.
5. Check your bank and credit card statements. Cancel all cards. Call your bank to inform them. Remember that you need some spare physical cash to tie you through a few days (so primitive, right? cash). If hackers took your money, fill in this facebook form.
6. change the passwords to all your social media, emails, shopping sites, all. Needless to say, you should have a different password for a different account. Keep your passwords in written form, hard copy, and not on your computer or phone where hackers can hack in.
I was prepared for the worst circumstances to let go of my FB personal account, FB business account, and IG account. But luckily, my friends helped me. However, till today, FB Fraud department hasn’t responded to me after I filled in the form. I know the money will likely be refunded so I’m not so worried.
What is horrible in this week-long ordeal is dealing with Facebook AI. They are at the moment unable to help in such total annihilating hacking that prevents users from getting their accounts. FB needs to set up a customer service with real people behind the computer to help in these extreme cases.