The long, lonely wait to recover a hacked Facebook account

The first time 100 people tuned in to a live stream Lucretia Groce hosted on her Facebook cooking page, she felt a rush. Some viewers, including cancer patients whose appetites had been suppressed by chemotherapy, told Groce that watching her cook made them feel hungry again. “It really touched me,” Groce said, adding that “it feels like I’ve known these people forever.”

It all came to an abrupt end a year ago, when Groce was kicked out of his account. Someone had posted offensive content from her page, an email from Facebook said. When she tried to report the act as a mistake, Facebook showed her the offending post: A video of two children being forced to perform a sex act.

Groce said she cried for hours. Why did the site show her something so horrible without any warning? And how, without access to her personal account, could she restore the business site she had worked so hard to grow?

She had started the site after she quit her job as a home health aide at the start of the pandemic. After years of producing several videos a week, she had since grown the site to 17,000 followers. The extra income from ads in her videos allowed her to pay bills and stash away some savings, she said.

Her frustrating experience is not unique. The Help Desk, the personal technology section of The Washington Post, has received hundreds of emails from people who have been locked out of their Facebook accounts and have no idea how to get back in. Many lose their accounts to hackers, who take over Facebook pages to resell them or to game search engine rankings.

In some cases, losing your account is a disadvantage. But in many others it is a threat to the finances, relationships or well-being of the user. For example, Groce estimates she has lost $18,000 in income after waiting months for her account to be unlocked.

“We have customers crying on Zoom calls because they’ve lost their business and their livelihood,” said Jonas Borchgrevink, founder of Hacked.com, which helps victims navigate the notoriously confusing process of recovering hacked Facebook accounts.

Facebook rose to global dominance by promising to be a central hub for our lives, introducing tools to help us run businesses, make payments and even keep track of loved ones during disasters. But when you hit a snag, like an account takeover, that support disappears, dozens of users say, leaving people to float in an automated system.

Despite reporting revenue of more than $27 billion in the third quarter, Facebook’s parent company Meta is a multinational tech giant with no real customer support, users say. This month, Meta announced that it will lay off 11 percent of its workforce. It is unclear how these cuts will affect account security and customer support.

Last year, Facebook told The Post it was working on new processes to address these issues. A year later, not much seems to have changed. The company has no new initiatives to help people recover their accounts.

According to a report in the Wall Street Journal last week, Meta has disciplined more than two dozen employees and contractors in the past year for illegally accessing user accounts, in some cases accepting bribes to do so.

Meta has said it will continue to take action against such employee behaviour. The Identity Threat Resource Center, a nonprofit that helps people respond to hacks and identity theft, said reports of takeovers of social media accounts rose 159 percent from 2021 to 2022. And Hacked.com said it has more than doubled many customers this year compared to last.

“Over the past year, we’ve made significant progress in raising awareness of common online threats that can lead to compromised accounts, improving our account recovery flow to support people who have been banned, and helping them regain account access its again,” Meta spokeswoman Gabby Curtis said.

Hackofre says they can’t get in touch with customer support staff over the phone, and email responses from customer support are often innocuous and unhelpful. Some upload sensitive personal information such as driver’s licenses only to hear nothing back.

Facebook told The Post last year that mandatory two-factor authentication or easier recovery would create more security problems than they would solve. But other firms don’t seem to have the same problem, said ITRC chief Eva Velasquez.

Financial institutions, for example, used to have much greater problems with account takeovers before they implemented basic security measures, she said. (You can turn on two-factor authentication in your account settings and choose a password you don’t use anywhere else.)

The ITRC receives hundreds of calls a year from people who have been banned from their Facebook and other online accounts, Velasquez said. Its call center workers are trained to respond to trauma because hackers don’t just feel annoying to victims, they feel abusive. When Facebook users can’t get help, they turn to the ITRC or the Federal Trade Commission, which collects complaints about online fraud. The FTC refused to provide data on hacked social media accounts and any efforts to combat the problem.

“ITRC has become a de facto outsourcer for Facebook’s customer service because they simply don’t have any,” Velasquez said, adding that Facebook keeps the money it generates while ignoring problems and leaving the problems to others to solve.

Hacks cost victims time

Losing access to a Facebook or Instagram account takes seconds. Getting it back can take years. Aaron Elekes used his Facebook page to promote the radio shows recorded at the Las Vegas studio he owns. After the 50-year-old fell for what he believes was a cyber attack called phishing and was banned from his account in March 2019, he found that all he needed was a little persistence. He estimates he spent more than 24 hours doing research online and searching for answers.

Eventually he gave up and created a new account, but each attempt was flagged as suspicious and deleted. So he did what any sane person would do: He created a new account with the name and likeness of his cat, Yumyum.

Hacks cost victims money

Facebook presents itself as a place to connect with friends and family, but it is also a busy marketplace. When small business owners who use the platform to make money get banned, they can lose their livelihood.

Groce, who lost her cooking page in an apparent hack, said she spent months going in circles within the account recovery portal before giving up and starting a new page with zero followers. All the while, her old videos were still making money, according to invoices reviewed by The Post, but none of the money showed up in her bank account. She still doesn’t know if the hacker substituted her own bank details and took her ad revenue.

Many others use Facebook to run business pages, like social media manager Howard Baltus, who posted on behalf of dozens of small companies. In July, Baltus woke up to an email from Facebook: he had lost access to his personal page.

Then he saw the rest of the emails. Like dominoes, the initial account takeover had allowed the hacker to hijack the company pages and delete the administrative access of the business owners. Not only did Howard lose access to the sites, so did his clients.

It was the start of a long struggle that led nowhere, according to Baltus and his wife, Rose. Based on Facebook customer service messages shared with The Post, Rose and Howard emailed at least six different representatives over three months. As the hacker continued to charge ads to a credit card the Baltuses didn’t recognize, Howard and Rose repeatedly messaged customer support.

When Facebook representatives responded, they would ask Baltusians to be patient and that the situation was under review. “Keep smiling!” read a reply in September.

In the end, Facebook support came back with a ruling: “We have determined that there was sufficient evidence to suggest that the pages were compromised, but given the problems present in the company managers as current [sic] own them, ownership of them cannot be transferred.” The email encouraged them to check out the Facebook Blueprint product, which offers free marketing courses.

Howard responded with an expletive-laden screed about the lack of support for Facebook marketing clients. “You guys are really silly at what you do,” he wrote. “We thank you for your understanding,” replied the representative. At that point, the Baltuses estimate they had lost about $20,000 in income.

Hacks cost victims peace of mind

As Facebook cast its net wider, with new features to capture more of our time and attention, so did the cost of losing an account. People now turn to Facebook for everything from organizing social gatherings to saving important memories.

Take Joyanna Livingston, a bookkeeper from Hillsboro, NC, who said she felt lonely during the first year of the pandemic. So she started a private Facebook group for herself and other women to process what happened. One or two she knew in real life and the rest were strangers, but they quickly bonded through posts about their families, health and jobs.

When a hacker took over her account in late 2020, her first thought was about privacy: All the intimate posts were now exposed to a stranger.

Other hack victims share similar frustrations. Heidi Hayes, an actress in Pittsburgh, was unable to access the materials for her acting classes, which were all posted in Facebook groups. Colleen O’Shea, a 61-year-old from Calgary, Alberta, watched her husband, Guy, gleefully share live video of their teenage son hitting a hole-in-one in a golf tournament.

When Guy lost his account to a hacker, they also lost the video. It was the only copy they had. Not every hack story ends bleakly. Sometimes a fixed process breaks loose, and people find that the same forms that led them in circles the day before suddenly work.

That’s what happened to Cassie Bonstrom, a 37-year-old nurse in Minneapolis. Bonstrom often spoke on Facebook Messenger with his lifelong friend who, due to difficulty communicating in person, relied on Facebook Messenger to stay in touch. In September, a hacker broke into the friend’s account and changed the profile name. Bonstrom was able to kick out the intruder by changing her password, but when she tried to fix the name, Facebook told her she had to wait 60 days.

Bonstrom sent the request again and again and again. After her kids went to bed, she sat down to her new part-time job: battling Facebook. When the automated system returned a “no,” she started over. After four days, the request went through.

Everything was as it should be. But Bonstrom found it odd that she couldn’t get in touch with anyone at the company. “They must have at least 1,000 employees, right?” she said. Meta has tens of thousands of employees. The company says 40,000 is dedicated to safety and security.