The anatomy of a Facebook account heist

Caleb Luke Lin for Vox

Hungry for money, hackers in Vietnam have hacked into thousands of Meta accounts.

Jessica Sems was on Facebook at 2 am when hackers struck in a series of attacks. First, she was locked out. Then, her account data — photos, posts, even her name — were all gone. Within a few minutes, the entire profile looked like it belonged to celebrity portrait photographer Jerry Avenaim.

Feeling overwhelmed, Sems logged in to Netflix instead, only to realize she’d been locked out of that too. When she called customer support, Netflix said they had no record of her email address being associated with an account, despite her having been a Netflix customer for eight years. She was able to get back on Netflix after chatting with support for an hour, but as of late September, her Facebook account had still not been recovered since the initial hack six months earlier.

“For me, it’s more than the photos and memories,” said Sems, who lives in the Midwest and is in the midst of a custody dispute. “I need those messages to prove my husband should not have our children. Now, I don’t have a case. I’m lost now.”

For decades, hackers have conned people into clicking on malicious links, luring them in with spam-ridden emails that boast fake credit card offers or request false password resets. But what happens when someone hijacks your entire Facebook profile? What would a hacker even want with photos of your friends, your list of likes, or your years’ worth of status updates? The answer is simple: money.

Around the world, sometimes hiding in plain sight, a digital black market worth millions of dollars is thriving. While many people might think of Russian state-sponsored hacking groups when it comes to infiltrating social media platforms, there’s actually a global network of hackers participating in an underground economy where things like Facebook and Instagram accounts are commodities. Through forums and private chat rooms on apps like Telegram, hacking tools and access to these accounts can be bought and sold, often in exchange for cryptocurrency. The accounts themselves can then be repurposed for all kinds of nefarious schemes. The more prominent or more verified the account, the more it’s worth.

“It’s all about the easy money”

“It’s all about the easy money,” Hieu Minh Ngo, a prolific ex-hacker turned cybersecurity researcher, told Vox. “A new Facebook account has no value at all, but an old Facebook account is so valuable on the market.”

Ngo, who is based in Ho Chi Minh City, was arrested in 2015 after participating in a scheme to gather and sell the personal data of hundreds of thousands of US citizens. He now works as a threat hunter at the National Cyber Security Center (NCSC) in Vietnam, in addition to serving as the co-founder of Chống Lừa Đảo, an anti-scam nonprofit.

Exactly how hackers go after legitimate accounts varies. Some take advantage of users with weak passwords, while the majority of hackers who lurk in these Telegram groups break in via cookie theft. Cookies aren’t inherently bad. These small files placed on your computer or phone by a website function as the site’s short-term memory, but when those cookies get into the hands of bad actors, they allow for easy access to a slew of apps and even credit cards.

This is how cookie hijacking works. Once hackers gain access to a user’s cookies, either by buying the files or stealing them, they effectively have access to that person’s accounts. From there, the hackers can change passwords and add security keys or two-factor authentication, and usually, they proceed to commit a crime. For some, that’s stealing money and credit cards linked to the accounts, while others scam new victims. They can also purchase new bank accounts via Telegram and use cryptocurrency for quick and easy transfers, which makes it easier for them to stay under the radar. Over time, they may keep the account to continue committing fraud or just return to the black market and sell it.

Meanwhile, the users whose accounts have been compromised can’t access them. They often lose years worth of posts and photos, and if they’ve connected their account to any payment methods, they could lose money too. And sometimes, it’s not entirely clear how Meta, Facebook’s parent company, could put a stop to this. Because when hackers do things like exploit weak passwords and hijack cookies, they’re doing it on the open web, outside the reach of a given platform’s security team.

“We’re aware of instances where people got locked out of their accounts in this way, often due to email compromise, off-platform phishing, or downloading malicious browser extensions. Our teams continue to take steps to help people recover their account access,” a Meta spokesperson told Vox.

Fake or stolen Facebook accounts used to be somewhat easy to spot. These fake profiles were typically drenched in spammy posts related to crypto and Cash App, and profile names were usually misspelled or wonky mashups of a few names. But things have gotten muddier over the years as hacking groups have gotten more sophisticated. They may get even worse now that Facebook is allowing users to create and manage multiple profiles without switching back and forth to log in. Though users must use their original name for the first account, they can use any name of their choosing for the others. On top of all this, with the arrival of paid verification options that let people buy blue check marks, it’s harder than ever to tell which accounts are genuine and which just want to appear so.

The black market for Facebook accounts, explained

It’s easy to get started in the hijacked account trade. In Vietnam, for instance, getting stolen cookies or session tokens is relatively inexpensive. Users can spend $80 for 1,000 US cookies or $70 for the same amount of European cookies. One Telegram channel on the digital black market offers 100 fake Facebook support email addresses for only $50, with a discount given to buyers in Vietnam, China, Indonesia, or Thailand. These fake Facebook support emails are designed to look like they’re coming from Facebook or Meta support — but they’re bogus and just one more way scammers are able to infiltrate more accounts. It also doesn’t seem like there’s much local authorities can do about it.

“Vietnam police have enforced and arrested a few but it’s still not enough,” Ngo explained. “Since there are so many, lots of them may just get a fine or a very light sentencing.”

To gain a deeper understanding of what drives Facebook account theft, Vox spoke with nearly 100 victims from at least 14 countries as well as Facebook page administrators about the trend. Analyzing clues, including phone numbers, ID cards, and business names, led us to a ring of hackers, largely made up of 20-somethings based in Vietnam.

These hacking groups have been bolstered by how easy it is to get paid verification check marks

Interestingly enough, these young hackers use stolen Facebook accounts to showcase their hacking wins on the platform. Many of these hackers even claim to work at Meta or for a Facebook support agency. Some are sloppy, though. One of the hackers, in particular, didn’t realize a photo of his ID card was still stored in the “hidden photos” section of a few victims’ accounts. A reverse image search led to a government database that revealed the hacker’s real name and place of residence in Cao Lãnh, a city in southern Vietnam.

These hacking groups have been bolstered by how easy it is to get paid verification check marks on platforms like Facebook, Instagram, and Twitter (now known as X). Hackers have also targeted accounts with blue or gold check marks, which Ngo says helps them appear legit when reaching out to secondary victims. Some hackers are also stealing everyday users’ accounts and then changing them to make it look like they belong to a celebrity. They can then opt to pay for a blue check if they wish. But hackers are especially keen to buy legacy checkmark accounts: profiles or pages that obtained a blue check due to their status as a public figure or verified business.

The Vietnamese hacker ring filling Facebook feeds with fake celebrities

Since the end of January, hackers — many of them hailing from Vietnam — have targeted users on Facebook and Instagram in a series of celebrity hacks that involve taking control of users’ accounts and changing profile pictures, names, and business page names to those of public figures. Victims have tried logging in only to discover that they’re locked out and their profiles were changed to those of celebrities, including Lily Collins, Jennifer Lopez, the late Paul Walker, and a handful of other household names.

Jane Lee, who worked at Facebook on the trust and safety team in 2020, told Vox she saw similar cases out of Southeast Asia during her time at the company. Hackers would run fraudulent ads on hacked accounts in order to sell “low-quality products” that were otherwise banned on Facebook. And when she heard that victims’ accounts were being used to create and run new ads, she immediately recognized the tactics. In this recent spate of account takeovers, the hackers went further, compromising email accounts, credit cards, business pages, and more.

“I think when you’re at the scale that Meta is at, fraud and spam — they don’t know any boundaries,” Lee said. “It’s just the type of abuse that happens in Vietnam.”

For Dale Berry, the owner and head teacher of Berry English, a preschool English academy in Japan, getting his Facebook account stolen led to him racking up thousands of dollars in ad fees when he was hacked in late February — and his school’s reputation was tarnished along the way. Berry, who is originally from London, has since regained access to his account, but ads have been disabled due to the fraudulent campaigns run by the hackers.

It’s not entirely clear how the Vietnamese hacking ring is stealing so many accounts. In the beginning, the hack seemed to progress mostly via malware found in fake ChatGPT downloads and ads for these bogus extensions right on Facebook. But more recent victims say they were simply scrolling when they found themselves suddenly locked out. In some cases, Instagram’s automated system reported back that they saw nothing wrong with the compromised accounts that were affected by these celebrity hacks.

In the absence of help from Meta, thousands of victims of account theft have come together in Facebook groups, on X, and in Reddit threads, where they share tips and information about the hacks. The groups are filled with concerned users, but they’re also filled with even more hackers hiding behind AI-generated photos and stock images. Facebook does not have a customer support line, so users seeking to report these issues must rely on the online help center or report the problem to a support email address, which they say has not been effective.

“I had memories and photos of soldiers who didn’t make it home”

“This is again why my beef is more with Facebook and Meta than with the hackers,” Erik Honoré, a sound engineer and the co-artistic director of the Punkt Festival in Kristiansand, Norway, said back in March. “Because these are challenges that are almost impossible to solve with a standardized web form but would be very easy to explain to a human.”

Reporting these hacks through the channels that exist can be rigorous and confusing. For instance, some victims end up reporting the real Facebook and Instagram accounts of the celebrities their old accounts are now impersonating. In addition to reaching out to Meta via multiple channels, many users have turned to lawmakers. Linda Thompson, one of the victims based in Glasgow, Scotland — who had two-factor authentication enabled when she was hacked — contacted her MP and provided screenshots — 28 pages worth that were then forwarded to Meta. Her account was restored about a month later, but she was hacked a second time shortly after. Others who had success say they contacted their local attorney general or the attorney general of California, where Meta is based. They also said they filed claims with the Federal Trade Commission (FTC) and even notified the FBI.

The situation has proved taxing for internet users like Amanda Clothier, an Oklahoma resident and military wife of 25 years. Clothier told Vox that her account was stolen on March 25 and that she had never violated Facebook’s community standards nor did she recall clicking on any unusual links.

“I documented as much as I could,” she said. “I had memories and photos of soldiers who didn’t make it home — and their Gold Star Families. All gone. It’s heartbreaking.”

How to take security into your own hands — as best you can

The trend of stealing Facebook accounts and making them look like they belong to celebrities has taken hold this year, but unfortunately, incidents like these aren’t new, nor are they unique to Meta. No tech company is immune to these types of exploits, in which hackers find multiple ways to break into and steal user accounts.

“It feels like an uphill battle that employees will never be able to solve,” said a former Meta contractor, who spoke to Vox on the condition of anonymity in late March. “We just clean up the mess … There’s so many that I don’t know if anyone would be able to actually get on top of it.”

The scale of these kinds of hacks is enormous. And because of that, companies like Meta have struggled to restore victims’ accounts and data after the fact. Some security experts say people should take things into their own hands by frequently backing up their data and performing safety checks to avoid getting hacked in the first place. That also means being aware of common online scams — everything from phishing emails to malicious links — and knowing how to avoid them.

“No matter what Facebook or Instagram or TikTok does, if your device or browser are compromised — it doesn’t matter what these companies do, you’re still going to continue to get compromised,” Lee said.

Protecting yourself online includes taking some simple steps, like always using strong passwords and setting up two-factor authentication on your devices. You should also avoid clicking on unknown links, regularly run a malware scanner on your devices, and use a password manager — especially considering that unique passwords can help prevent future incidents that are beyond tech companies’ control.

The answer to some of these problems could lie in the regulation of Big Tech

At the end of the day, you should accept some responsibility when it comes to maintaining good cyber hygiene, according to Adam Marrè, a former FBI cyber special agent and the chief information security officer at Arctic Wolf.

“The way technology works today, that’s not really something that the social media company can protect — those are things that the user should protect,” Marrè said. “They lock their door when they leave their house, they lock their car when they walk away … oftentimes, people don’t think about their online life in the same way.”

As some on Capitol Hill have pointed out, the answer to some of these problems could lie in the regulation of Big Tech. Most recently, Sens. Elizabeth Warren (D-MA) and Lindsey Graham (R-SC) introduced the Digital Consumer Protection Commission Act in July. The legislation’s primary goal is to create a new federal commission that oversees tech companies in the US, while also investigating and prosecuting any misconduct related to users’ personal data, privacy, and online activity.

While the US has the FCC for radio and TV and the FTC for consumer protection, a commission directly related to social media and Big Tech is currently nonexistent. But it’s something people in the US should think about, Marrè argues.

“These social media companies have a very powerful effect on our societies,” he said. “We need to be thinking about what our recourse is to make sure that they’re doing the right things across the whole spectrum. How they handle security, how they handle complaints, is also one of those things.”

Big Tech companies have become a huge part of people’s everyday lives, from how they bank to how they connect with loved ones. That means a certain amount of trust is being built between users and these platforms, including Meta. But trust dissolves when users feel they could very well be the next victim of account theft or other cyber schemes. Some may say it’s not worth it. Others say it’s time for an intervention.

For folks like Jessica Sems, the Facebook user from the Midwest who hasn’t been able to access her account for most of this year, being locked out means losing a huge part of her life online. It’s something she and other victims of these celebrity hacks may never get back.

Victims of these and other hacks can visit facebook.com/hacked or instagram.com/hacked to secure their accounts. If a user discovers their email address has been changed without their permission, they can reverse that change here. Users may also continue to report accounts and other suspicious activity at the Help Center.

   

Advertisements