Dear Facebook
Are you following the ISIS Flag Hack?
(Please note: there are updates below — last update posted 17th August 2020)
Everyday more Facebook & Instagram users are finding themselves locked out of their accounts by a security breach that takes just 15 minutes to perform — here’s how:
On May 14th 20:20 (BST) I received an email from security@facebookmail.com advising me:
Hi Graham,
We received a request to reset your Facebook password.
Enter the following password reset code:XXXXX
Didn’t request this change?
If you didn’t request a new password, let us know.
So I let you know.
On May 14th 20:25 (BST) I received another email from security@facebookmail.com advising me:
Hi Graham,
We’ve noticed an unusual login from a device or location you don’t usually use. Was this you?14 May 2020 at 20:24
Near Bromley, United Kingdom
Chrome on Windows
It wasn’t me. I live within 10 miles of Bromley. I don’t own a Windows computer.
On May 14th 20:41 (BST) a family member messaged me to ask why I’d changed my Facebook profile picture to an ISIS flag.
On May 14th 20:45 (BST) I went to investigate my Facebook account to find it had been disabled and that I had been locked out.
Your account has been disabled
You can’t use Facebook because your account, or activity on it, didn’t follow our Community Standards. We have already reviewed this decision and it can’t be reversed. To learn more about the reasons why we disable accounts visit Community Standards.
Realising my account had been compromised I visited facebook.com/hacked
Report compromised account
If you believe your account has been compromised by another person or a virus, please click the “My account is compromised” button below. We’ll help you log back into your account so that you can regain control.
I entered my phone number. You recognised it was me. I entered my old password. You went back to:
Your account has been disabled
I’m in a loop that you have made.
Simultaneously you locked me out of Instagram.
Without a Facebook account there is no way of messaging you since you don’t answer your emails. You don’t acknowledge my messages on Twitter. Even your senior policy and digital safety staff who, over many years, have connected to me on LinkedIn refuse to respond to my enquiries. Creating a new Facebook account would infringe your terms and conditions.
This is Facebook as Kafka.
Over the last few years I haven’t used my personal Facebook account that often however I did create a number of pages for my book and professional activities where I had built communities of over 50,000 followers. Over the years I have spent around £1000 on advertising with you. I realise that this is nothing compared to numerous disinformation farms that pollute the public discourse using your platform but it means something to me.
During this global pandemic where I’m advised to stay at home I had been enjoying using Instagram to see my friends and family around the world. Simple pleasures I know.
It’s impressive how you’ve shaped the world and the way we share news and stories. Where once we might have phoned each other or sent a card now we announce even the most important news by posting to you in confidence that you will tell those closest to us. After all, “Facebook helps you connect and share with the people in your life”. So when news of my Brother-in-Law’s passing was shared in our family group on Facebook I was the last to know by a couple of days.
I have no idea how somebody that wasn’t me gained control of my Facebook account. I haven’t been phished and the password on my account was unique to that account. To my knowledge nothing else has been compromised although I have since received password request alerts from Netflix and Lyft that wasn’t me. I don’t even have a Lyft account.
This is certainly a mystery although it’s unlikely to be the act of a radical terrorist group rather it is the mischief of someone who knows that an ISIS flag posted as a profile picture on Facebook would trigger this particular algorithm of yours. We’ve both been played.
A cursory search on the internet and Twitter reveals that, from Cork to Colorado, a growing number of your users have been victimised in exactly the same way. All are having the same problem bringing this vandalism of your platform to your attention.
It appears that the number of those affected is increasing as is the speed of the hack. This suggests that whoever is responsible for this ingenious exploit is now scripting or automating it. If they release that into the open they could bring your platform to its knees. Furthermore, in the event of an en-masse protest against Facebook for those wishing to leave your platform in a hurry all they need to do is post an ISIS flag as their profile picture and then wait 15 minutes.
Don’t say you weren’t warned.
Update 20th July 2020
Since posting this article I have received hundreds of emails asking for help from Facebook users who have had the exact same experience. Regrettably, apart from offering sympathy, there is nothing that I can do nor do I have any influence over Facebook.
So the good news (kinda) is that your accounts have not been deleted despite the messages you may have received when attempting to report your hacked pages. A few weeks after posting this article my Facebook and Instagram accounts were restored to their pre-hacked state. I received an automated email from Facebook security telling me that someone may have accessed my account with a link to, “Secure your account now”. So I clicked it answered a few questions and then voila! my accounts were back.
The bad news (still) is that you need to get a human at Facebook to look into your case. It seems that nearly all of the public email addresses for Facebook are automated and run by bots. This doesn’t explain why their social media team, for example, haven’t noticed that a lot of people are having this problem unless they simply never read their @Facebook messages via Twitter. My advice would be to keep messaging on the basis that something has to give. I would also try to contact their media and PR teams (press@fb.com). You might also try some of the professional network platforms such as LinkedIn to see if you can connect to someone of influence at Facebook.
You’re understandably frustrated but keep your correspondence polite and courteous — remember you’re trying to contact a human who will pick up your case and it’s easy to delete a rude or angry email.
So what have I learned about this hack? (important that you read this)
I’ve spent a bit of time analysing this hack on my account as well as the attacks on others that contacted me (again, sorry but I can’t help you). This is what I’ve discovered:
When I got my account back I visited the Ad Center for my professional page and checked the payment and account details. There were 3 unauthorised people with admin privileges over my account. All of them had Vietnamese names. I noticed that the account name had changed where, “500$ hết hạn” had been appended to the name. I ran that through a translator that told me that it was Vietnamese and means “$500 expired”. This makes sense given that I hadn’t used the account for a couple of years and it had an expired card on record. I’m assuming that this was the hackers way of labelling the account as useless for money then posting an ISIS flag as my profile is their way of hiding their tracks by triggering a Facebook algorithm to “delete” the account.
That the hackers are taking the time to label the account as expired suggests that they are running automated scripts and performing these hacks at scale rather than one at a time. It also tells us that they are targeting Facebook profiles that have advertising accounts and therefore payment details on record. It’s unlikely that they’re finding Facebook profiles randomly so this too suggests that they are running scripts to find likely profiles to hack, otherwise it’s just too time consuming.
So why did they pick my Facebook profile or yours for that matter?
Now here’s the controversial bit but I’d lay pretty good odds that I’m right.
They had taken control of the email address that I use for Facebook.
In my case, and all of the cases that have been brought to me, the ISIS flag posting that closes your account was preceded by an email telling me:
We received a request to reset your Facebook password.
Enter the following password reset code:XXXXX
Where XXXXX is a number that allows entry into my Facebook profile. Ten minutes later your profile is disabled.
The only way that could have happened so fast is if I wasn’t the only person receiving that email and I wasn’t expecting it anyway because I hadn’t requested it. Unless I protect my email with 2FA all a hacker needs to read my email is a password. I wouldn’t know they were there because I’m receiving emails as normal.
In the hours following the hack on my Facebook profile I also received password resets from Netflix and a few other services which I know were false as I use a different email address for all of those services. I tested this theory by heading to Netflix and requesting a password reset using this same email address rather than my actual account address. Regardless of me not having an account under that email address Netflix sends me an email anyway to reset my non-existent password in the hopes that I will subscribe. This is opportunistic on the part of the hacker. If there had been an active Netflix account using that email address the hacker could sell access to it without me knowing. Netflix allows several people to stream under one account for families etc. It’s quite possible for an unauthorised person to stream and I might only know if we hit the number of users streaming limit.
Google around for long enough, or visit the dark web, and you’ll find dealers who will sell you a bundle of Netflix accounts on the cheap. This is how they do it.
All of this just confirms that someone had access to my email and as soon as I changed the password to that address it all stopped, apart from an increased amount of spam and phishing emails. Again, there is a trade in selling working email addresses in bulk for all those people who email you to tell you that you’ve inherited $10 million, all you need to do is send them your bank details. The key thing to remember here is that this is all performed at scale, hundreds of thousand or perhaps millions addresses with passwords are traded over the dark web. It’s not personal, it’s just business.
But how was my email hacked?
There are so many ways to do this that I can’t list them all here. Suffice to say that it’s far easier than hacking Facebook head-on. A common way of getting access to your email are data breaches on less secure services where vast numbers of email addresses and their passwords are stolen. These hauls are then traded on the dark web. Perhaps 90% of these email address and password combinations are of no value because the owners changed their passwords or had a unique password for everything they subscribe to but that leaves the other 10%. At this rate, for every 10 million addresses, 1 million could be exploited. This is why I believe that it’s done at scale and there are any number of ingenious scripts written by mischievous hackers coded to automate the process.
If you want to find out if your email address has been part of a data breach and is being traded (AKA pwned) then go to the, “Have I been pwned” search engine to find out. Another way to get access to your passwords is via a phishing email where your receive an official looking email that invites you to click on something to update your account. You may even go to a website that looks almost identical to the real site that you think it is. But it’s not, it’s just there to grab your password or other account details without you knowing. These attacks used to be easy to spot but they are getting more sophisticated and you will get fooled one day.
So the moral of this story is; change your passwords regularly, use 2 Factor Authentication (2FA) whenever you can, and use unique, strong passwords for everything you subscribe to.
Once more, sorry that I can’t help you with Facebook and I wish you good luck.
Update 14th August 2020 — Hacked Again!
Well, I wasn’t expecting this.
After the last hack on my Facebook account, described above, I totally locked everything down and 2FA’d everything, changed passwords, you name it I locked it, bolted it and thought I had made it as secure as was possible.
Of course, I realise that Facebook isn’t immune or impenetrable to being hacked nor do I think that our accounts there are ever truly secure. Only a few weeks ago some really big names from Barack Obama to Elon Musk were hacked on Twitter but I’m not a big name so can’t imagine why I would be targeted in this way. If you really want to get into someone else's account there is always someone who can do it for you, just Google it.
At 13:20 on Aug 14th I received an email from security@facebookmail.com with a now familiar subject heading, “Someone may have accessed your account”. The contents of the email went:
Hi Graham,
It looks like someone may have accessed your Facebook account. To secure your account, you’ll need to answer a few questions and change your password the next time you go to Facebook.
For your protection, no one can see you on Facebook until you secure your account.Thanks,
The Facebook Security Team
With a button/link labelled, “Secure Your Account Now”
After taking the precaution of making sure that the link was really a Facebook link, as I’m constantly vigilant for phishing attempts, I clicked away to secure my account.
I arrived at Facebook with my account disabled and the familiar prompts to make sure I was a human, to provide a new password (that I let my Mac create) then check through recent friend additions (there had been just a few in past weeks) and then check things that I or the perpetrator of this hack might have posted.
I think this is where I might have made a mistake (or maybe not). I wrongly assumed that this was a formality so I didn’t really check what had been posted throughly so I skipped — after all it has an option that says, “skip”. I was also keen to know what had happened this time. It then asked me to upload a proof of identity (I used my drivers licence) and then boom! Facebook thanked me by informing me that my account had been disabled for breaching “Community Standards”.
What. The. F%ck?
Facebook offered me the opportunity to, “Request a Review”, with the caveat that I might not actually get one because, “we are unable to review all requests”.
So here we are again. Facebook as Kafka.
Oh yeah, they took away my Instagram as well.
So what now? Do I hope that again some kindly human at Facebook will come to my rescue and restore my accounts? After all, this time it only said that my account had been disabled rather than deleted. Yet this distinction means nothing if the result is the same, i.e. no more Facebook and Instagram.
If I’m honest, I’m beyond caring now. I haven’t been a big user of Facebook during the past few years and I’m not an “Instagram Influencer”. I only started using them again because I was bored and lonely during the lockdown and it was nice to see what friends around the world were doing. Naive, I know, and perhaps old-fashioned because I wasn’t on there spreading hate. Perhaps this is what was meant by my alleged “Community Standards” fail. Perhaps now the standard is to immediately begin flooding your timeline with bile.
Who knows?
But here’s some paranoia to leave you with.
When I and others were hacked with the ISIS flag, Facebook told us that our accounts had been deleted. A few years back, bored with Facebook and outraged about it’s complacency on privacy and hate speech, I wanted to delete my accounts. I had assumed that if you asked Facebook to delete your accounts and your data that they would. And yet when my account was reported as deleted after the last hack they were, thankfully at the time, able to restore my accounts as if nothing had happened. This raises some concerns around privacy and just how much personal data you’re giving this corporation even after you’ve left the hive.
In recent months I have been researching, monitoring and observing AI-powered “bot swarms” on social media platforms. These bots appear as profiles on Facebook, Twitter, Instagram and, more recently, LinkedIn often with profile pictures that look convincing but are computer generated. At first glance these bots behave as if they were people; they follow, they like, they retweet or repost, they make comments, they will even chat with you. More importantly they are directed to amplify certain messages or beliefs.
The impact of these bots on, for example, democracy could be catastrophic. Indeed, some would argue that it has been.
I only mention this here because last week, in advance of publishing an article with my findings on this issue, I teased some of the above across my social media accounts. A couple of days later I was frozen out of Facebook and Instagram.
I’m sure there’s a better explanation but things are definitely getting weird.
If anything else happens on the Facebook front I will post an update here.
