New York Times
Facebook Account Hacked, legitimate account holder suffers.
FACEBOOK’S initial public stock offering caused a lot of well-publicized agita. But if you think investors were the only ones fuming at the company, read on.
Q. In mid-April, my Facebook profile was hijacked. I could not sign into my account, and someone started posting photographs of sneakers on my home page, along with comments — mine, it seemed, to anyone who visited — like “Nike Air Jordan super sale, 75 percent off!” Soon after, my friends were getting messages urging them to buy sneakers.
I followed all of Facebook’s suggestions for reporting the abuse and had my friends report that someone was pretending to be me, to no avail. Just as bad, getting someone at the company to help proved impossible.
I have close to 2,000 Facebook friends and do not want to start from scratch creating a new profile and page. I understand that I signed off on Facebook’s terms of service, but it seems as if the world’s largest social network ought to handle a problem like this a lot more efficiently.
Can you help? Samuel Reed
A. Before we solve Mr. Reed’s problem, let’s pause a moment and consider the business model of the spammer who took over his account. The idea, apparently, is to fool the Facebook friends of Mr. Reed — a public-school teacher and a grandfather — into thinking that he had suddenly become a sneaker freak. And not just any sneaker freak, but one with links to an e-commerce site, Streetretro.com, which sells merchandise at discounts.
Regardless of who was behind this hijacking — an e mail to Streetretro.com was not returned — it is hard to imagine that as a sales strategy, this one is very effective. But a lot of spammers try variations on this theme, as any Internet search will show.
Fred Wolens, a spokesman for Facebook, says it thwarts 600,000 attempts a day to hack into user accounts. Mr. Wolens did not say how many attacks get past Facebook’s defenses.
How was Mr. Reed’s account hijacked? He was probably phished, Mr. Wolens says. You can be phished when you enter your account information into a Web site other than Facebook’s. Sometimes these sites look like Facebook’s sign-in page; others proclaim offers for freebies of various kinds.
Facebook has a page about how to avoid phishing. It also has a page about what to do if you’re locked out of your own account, but the Haggler strongly recommends that you avoid this page unless you have actually been hacked, particularly if you are a Facebook user who is logged in. The site assumes that you’ve been attacked, and unless you hit “cancel” — one of two options you’ll have — you will be forced to change your password and security question. And you’ll learn very little about the hacking problem.
Mr. Reed got to know the hack page quite well, and he says he followed all instructions posted there. None worked, he said, and all he got from Facebook were some unhelpful automated e-mails. So the Haggler contacted Facebook and quickly heard back from Mr. Wolens. He said it would reach out to Mr. Reed through its User Ops team, which the Haggler likes to think is made up of men and women in Ninja costumes, saluting one another in a darkened room.
Soon after, a User Ops member sent an e-mail to Mr. Reed, asking him to e-mail a photocopy of a government identification card, like a driver’s license. Which Mr. Reed did. It would be nice to report that a speedy resolution followed, but for some reason, Facebook asked Mr. Reed to gain entry to his account using an e-mail address that wasn’t his. The Haggler conveyed this to Mr. Wolens, and not long afterward, Mr. Reed was back in his account, with instructions on how to delete all those sneaker ads.
How did Facebook perform through all this? Better than its shares! (The Haggler can’t resist a cheap joke at the expense of billionaires. It’s a weakness.)
Actually, it’s surprisingly hard to pin down exactly how much of Mr. Reed’s travails can be pinned on Facebook, because it is surprisingly hard to figure out what happened here. Mr. Wolens says Mr. Reed initially sent a message to Facebook through a queue that wasn’t in use anymore — in a “deprecated” queue, in the company’s parlance. But Mr. Wolens also said that Mr. Reed, after writing to that queue, was forwarded to the company’s standard help page. This is a confounding detail, and the Haggler is leaving out several others, mostly because they are very boring.
Suffice it to say, Facebook is obliged to make its system safe, but it’s hard to imagine how it can respond in some personal way to the woes of individual users. That said, the Haggler had to laugh when Mr. Wolens said that Facebook believes that its users prefer “self-remediation” — basically, online solutions they find without help — to dealing with Facebook employees.
After a few attempts at self-remediation, the Haggler thinks most people would prefer speaking to a human.
Let’s close by noting that Mr. Reed — who, by the way, teaches his students about how to deal with social media — says he thinks that Facebook deserves poor marks for the way it dealt with him. Facebook’s aloof and generic responses irked him. He made this point on the phone, when the Haggler wondered whether he could really describe himself, as he’d been doing, as a “Facebook customer.”
“Facebook makes its money from my personal information and the personal information of millions of other people,” he said. That creates an obligation, he went on. “My big thing is this — what kind of corporate culture does Facebook want to convey?”
E-mail: [email protected] Keep it brief and family-friendly, include your hometown and go easy on the caps-lock key. Letters may be edited for clarity and length.
A version of this article appeared in print on June 10, 2012, on page BU6 of the New York editionwith the headline: Another Shoe Drops on Facebook.