For Jonca Bull-Humphries, a clinical researcher who lives in the D.C. area, being locked out of Facebook after a hack was more than just an inconvenience.
She was missing important updates from family and friends. She worried that whoever got into her account and changed the password and associated email address could misrepresent her to people she cares about.
Bull-Humphries said she tried for six weeks to get her account back, following the steps in Facebook’s official account recovery process. She pored over threads in the company’s community forums and even sent a picture of her driver’s license to verify her identity. Nothing worked.
“I’m feeling increasingly like a lesson to all of those hundred of millions of people out there. When something goes wrong, it’s really hard to get it corrected,” she said.
A quick Google search for “locked social media account” suggests plenty of people have already learned the hard way. Reddit threads, advice columns and emails to The Washington Post’s Help Desk show social media users are plagued by lost and hacked accounts and often driven to despair. Account recovery processes are frustrating and circular. Getting in touch with a human is rare. (But read on: With the right approach, some account-recovery stories have happy endings.)
Some accounts end up locked because of lost passwords, others because of bad password hygiene and adversaries working constantly to break in. Social media companies, meanwhile, juggle customer service and account security as they try to make sure fraudsters don’t abuse recovery tools to wrongfully gain access. Some of this could be solved with additional security checks, but those may be bad business for companies with a grow-at-all-costs mentality.
After I emailed Facebook about Bull-Humphries’ Facebook account, the company sent her a link to reset her password and all seemed to be well. But the next day, she messaged me again: The hacker was back in and Bull-Humphries was locked out.
Hackers target social media accounts because they want to spread scams, phishing links or misinformation, said Jon Clay, vice president of threat intelligence at cybersecurity firm Trend Micro.
When bad actors get their hands on social media account credentials, it’s often through phishing attacks that trick people into entering their passwords or by buying stolen credentials in shady corners of the Internet, Clay said. But sometimes, they exploit the very tools that help people get back into hacked accounts. That’s why the account recovery process is so complex, according to Facebook Head of Security Policy Nathaniel Gleicher.
“Any system that we build to help users get their accounts back, we also have to recognize that it becomes a threat vector for threat actors to exploit,” he said.
Facebook uses a combination of automated systems and actual people to help users when they get locked out, it said. As for its notoriously hard-to-navigate review process, Gleicher said, the company “needs to improve,” and that those improvements are in the works. The company would not share details or a timeline.
“This is an industrywide problem,” Gleicher said.
But the difficulty of balancing security and recovery is only part of the story, said Bruce Schneier, a cybersecurity expert and public policy lecturer at Harvard University’s Kennedy School.
Schneier said that Facebook could solve its account recovery problems with additional security features. For example, if the company required people to set up two-factor authentication, hackers couldn’t take over accounts with just a stolen email-and-password combination. But mandatory security stops would introduce friction into the user experience, and that’s bad for Facebook’s data-harvesting business, Schneier said.
Gleicher said that for people in other parts of the world, that type of mandatory security measure would do more harm than good. People outside the United States change phones and numbers often, he said, and two-factor authentication would pose a serious barrier to accessing their accounts.
Schneier said that users are stuck. Facebook has no meaningful competition, he said, so frustrated users can’t leave and go elsewhere.
Jennifer Eiss, a real estate agent in Boulder, Colo., felt confused by Facebook’s recovery tool and eventually gave up after her account was hacked in July, she said. She reached out to Hacked.com, a service for people locked out of online accounts. Eiss paid $500, and a Hacked representative got her back into her account within the week, she said.
“Worth every penny,” she said.
Hacked.com’s employees don’t use any actual hacking to get back into accounts, founder Jonas Borchgrevink said. (Never, ever, hire a hacker to get back into an account, he warned, adding that many of his customers have already been victims of scams like this.)
Instead, Borchgrevink and his crew have become experts in the oddities of Facebook’s recovery tool. For instance, some Reddit threads suggest sending Facebook photos of your ID up to seven times a day until you receive a response. A Facebook spokeswoman said repeated requests wouldn’t make a difference.
Borchgrevink walked me through what he described as a typical Facebook account recovery. It is elaborate — if you have the time and energy. He recommends the following steps if you get locked out a Facebook account.
- Make sure you’re connecting from the WiFi network and device you normally use. Go to facebook.com/login/identify. Find your account by searching for your phone number, email address, name or username. (Find your username by going to your profile — or having a friend go there — and checking the URL bar. It should show something like “facebook.com/YourUsername.”)
- Send a recovery code to your phone or email address. If you don’t have access to the number and address listed, select “No longer have access to these?” and “Cannot access my email.”
- If it lets you, reset your email address. If not, go to facebook.com/hacked and choose “my account is compromised.” Enter your old password, choose “secure my account,” and select “I cannot access these.”
- If it lets you, reset your email address. If not, open the Facebook app on your mobile device, try to log in, and select “forgot password.” Click the button indicating you no longer have access to the phone number and email address associated with the account. If it lets you, reset your email address.
Have a headache yet?
If you get to the form where you reset your primary email by submitting a photo of your ID, make sure the photo is clear and high-quality (no webcams) and that all four corners of your ID are visible along with your name and birth date, Borchgrevink said. If all goes well, Facebook will send an email to the new address allowing you to reset your password.
Once your password is reset, don’t celebrate just yet. If your account was hacked, the hacker may have set up two-factor authentication tied to their own phone number. That means you’ll need a special log-in code to bypass that requirement and get back in, which requires filling out another form and uploading your ID again. If that submission is successful, Facebook will send a link and code to your new primary email. If the link doesn’t work, try the code, Borchgrevink said. If the code appears broken, try the link.
Once you’re back into a hacked account, go immediately to Settings & Privacy -> Settings -> General -> Contact and make sure the email addresses and phone numbers associated with your account are yours, not the hacker’s.
Next, go to Security and Login in the left-hand menu. Scroll down and turn on two-factor authentication, making sure the hacker’s phone number isn’t connected. Last, glance at the “where you’re logged in” section and review your “authorized logins.” Disconnect any devices you don’t recognize. Under “setting up extra security,” turn on alerts for unrecognized log-ins and choose a few close friends — like family members or besties — who can receive account recovery codes on your behalf if anything goes sideways in the future.
Each social media site will have its own account recovery process — and some may be easier than others. Despite being owned by Facebook, Instagram is much harder to get back into, according to Borchgrevink.
A Facebook spokeswoman said account recovery rates are similar for Instagram and Facebook. She declined to share recovery rates.
If you forget a password, lose access to an email account or fall victim to a hack, there are a few things you can do. First, go to the app or site’s log-in page and check for account recovery links like “I forgot my password,” “I don’t have access to this email” or “My account was compromised.”
If that doesn’t solve the problem, look for the company’s help center or message its customer support email. (It’s often Support@CompanyNameHere.com.) In your email, feel free to include screenshots of any suspicious activity you noticed, like email alerts of log-in attempts or text messages with log-in codes you didn’t expect, said Anna Larkina, a web content analyst at cybersecurity firm Kaspersky.
It might also help to send all communications from the IP address you usually use and to share that IP address with customer support, Larkina said. (Google-search “what is my IP address.”)
Sometimes, you’ll notice a hack once the hacker changes your password and associated email, locking you out of your account. Other times, hackers play it cool, Trend Micro’s Clay said, using your account on occasion or waiting for the right opportunity to use it. Keep an eye out for messages you didn’t send, posts you didn’t create or purchases you didn’t make.
Most importantly, take steps now to prevent hacks. Once an account is compromised, getting it back is a pain, Gleicher said.
Facebook, as well as other social media, has tools built in to help prevent hacks before they happen — but you have to turn them on. At the least, go through your social media accounts and enable two-factor authentication, which lets you approve log-in attempts from your phone.
Create a brand new password for each of your accounts, advised Kaspersky’s Larkina. (As always, any password with the word “password” in it is off-limits.) That way, if one of your passwords is stolen in a breach, hackers can’t use it to break into other accounts. Hackers use bots to stuff commonly used passwords into log-in pages, Larkina said. Instead, go with a string of letters, numbers and symbols. A password manager will help you remember your new, hard-to-guess passwords without writing them down somewhere that isn’t secure — our favorite is Dashlane.
Lastly, keep in mind that hackers take advantage of account recovery processes and even spin up fake ones to trick you into sharing your password, Larkina said. If you get a message from what looks like a social media company saying that your account has been compromised, don’t follow any links or call any phone numbers in the message. Navigate to the site or app yourself, and contact customer service or take steps to change your password and secure your account.