Joanne Hogue, a US-based PR executive, was working in the UK when she realised her Facebook account had been hacked. The first sign was an email from Facebook alerting her to a login attempt from New Jersey in the US. Seconds later, Hogue’s password was changed. Panicked, she tried to sign in to Facebook, but it was too late, she was locked out.
From there, things only got worse. Hogue requested a password reset email, but it was sent to an address belonging to the hacker. The criminals also changed the phone number associated with her account.
Over the following days, Hogue says she contacted Facebook up to five times a day, via email and the social network’s self-service option for hacked accounts. Finally, after a week, she heard back from the social network. “Facebook said they’d send a password change link to my cell phone – but this did not work because they had the wrong number,” she says.
Another Facebook user, Kris, who did not want to share their real name for fear of being further targeted by hackers, has been locked out of Facebook since the end of August after a criminal set up two-step verification to their own email address. “My situation isn’t covered on Facebook’s Help Center page. There are directions on how to reset a Facebook account, but no advice on what to do if a hacker adds two-step authentication.”
These experiences are not unusual. Facebook’s massive base of nearly three billion users makes the social network attractive to scammers and hackers, and if you haven’t been targeted already, it’s likely you will be at some point. Here’s how to tell if your Facebook has been hacked, what to do, and how to protect your account.
How Facebook gets hacked
Facebook has been widely criticised for its security and privacy. The social network has been hacked multiple times, and its reputation has never fully recovered from the Cambridge Analytica scandal in 2018.
Combined with recent data leaks, there are now millions of Facebook usernames and passwords available on the Dark Web. These details can be used by criminals in phishing attacks to steal passwords via fake login pages, or trick people into transferring cash. One well-known Facebook Messenger scam uses a bogus video to lure people onto a fake login page. First seen in 2017, the “is that you” video aims to steal Facebook credentials and infect devices with malware.
“Attackers want to steal your identity so they can take advantage of trust in your profile and friends,” says Chloe Matthews, a threat intelligence analyst at cybersecurity company F-Secure. “They then use your profile to share malware or perform phishing attacks.”
How to tell if your Facebook account has been hacked
The first sign your Facebook account has been hacked is usually an email to notify you that your password has been changed. Adversaries will then try to lock you out by changing your account recovery options and email address. “If you're suddenly logged out of Facebook and your password no longer works, you've probably been hacked,” says Paul Bischoff, a privacy advocate at tech research company Comparitech.
Some criminals will compromise your account, lock it, change the password and do nothing with it for some time. “Some people’s Facebook accounts are hacked and there’s no unusual activity for a while – the profile might then be sold on to a third party,” Matthews says.
To stay under the radar, some criminals won't even change your password. “They may want to make occasional but long-term use of your account and don't want to make it obvious,” warns Paul Ducklin, principal research scientist at security firm Sophos.
Clear signs you have been hacked include unusual messages to your friends – which might show up via your Facebook email notifications – and posts you don't remember making. Adversaries may also follow or friend request people you have no obvious connection with. “Facebook Apps you have authorised to access and post to your account may go rogue and scoop up information from inside your account, or send out unwanted posts on your behalf,” Ducklin says.
What steps can be taken to recover a Facebook account?
If you are concerned your account has been compromised, you can request a download of your data. “This will show any changes in your profile, and you can see which devices are logged in and their location,” Matthews advises.
Once you’ve confirmed you have been hacked, it’s notoriously difficult to recover your account. According to recent reports, a limited number of Facebook users have managed to gain access to their hacked accounts through the social network’s VR device Oculus Rift, but experts don’t recommend this. The cost of doing so is also high – £299 for the social network’s gaming headset.
Initially, you should follow the self-service account recovery process provided by Facebook. You will then be asked what alerted you to the compromise, and given the option to add a passport or driving license to prove your identity. In tandem, you can also ask your friends to report that your account has been compromised – which could speed up the recovery process, says Bischoff. “If Facebook sees a lot of reports about a single account, it may be quicker to take action.”
If a criminal locks you out of your account, you may be able to prove your identity to Facebook via ID such as a driver’s license. There is also Trusted Contacts in your Security settings, which allows you to name friends who can validate who you are if your account is hacked.
Hogue says Facebook wouldn’t accept her driving licence as ID when her account was compromised. Later, a ‘cyber security expert’ she contacted via Twitter offered to restore her account for $100. Hogue refused.
Yet she did get her account back in the end, weeks after her initial efforts, when she tried to access Facebook again after a friend sent her a video to watch. When Hogue clicked through to Facebook, the social network had added recovery options that were not available previously. “I had to confirm five friends I was connected to on Facebook and a couple of memories. Surprisingly, this worked and my Facebook account was unlocked.”
How to avoid Facebook getting hacked
The best form of protection is to prevent your account from getting hacked in the first place. Facebook says it provides guidance and tools to help keep your account safe. “We will keep improving our systems to detect malicious activity, including through the use of machine learning,” the social network says.
To help prove your identity when reporting your account has been hacked, Jake Moore, cybersecurity specialist at security company ESET recommends using a device that Facebook would recognise, for example a laptop connected to your home IP address.
At the same time, pay attention to your passwords. Weak or reused credentials are a common weak point through which adversaries are able to access Facebook accounts. “Don’t reuse your password across sites, use a strong password via password generator or manager – and make sure your passwords are unique,” Matthews says. (Our pick of the best password managers is here).
You can also check out HaveIBeenPwned – a password checking service set up by former Microsoft exec Troy Hunt – which will alert you to any compromised credentials so you can change your password if needed.
Meanwhile, set up two-factor authentication on your account for extra protection in addition to a password. Avoid email and SMS if you can – as these factors are more easy to bypass – and use a security key such as the Yubico YubiKey or an authenticator app such as Authy. “The best and simplest way to protect a Facebook account is to use a unique password along with an authenticator app-generated code for two-factor authentication,” says Moore. “Make a note of the generated backup key and then turn off the option of account recovery via SMS.”
You can also enable Facebook alerts about unrecognised logins to help you catch and deal with account takeovers more quickly. Settings and Privacy, Activity Log will display what's happened recently on your account. Settings and Privacy, Security and Login will show which devices are currently logged in, and includes a link to Log Out of All Sessions.
It's important to review your list of approved Facebook apps, websites and games regularly via Settings, Apps and Websites, and keep these to a minimum. “Revoke anything you aren't using,” Ducklin advises. “It's easy to forget about Facebook apps you approved years ago.”