Why Social Media Users Have Trouble Reclaiming Hijacked Accounts

After their Instagram accounts were hijacked, two different users say they contacted Instagram ten times -- and even proved their identity by submitting selfies -- but received no response.

And one Silicon Valley newspaper points out that If your account is hijacked at Instagram, Google, Facebook, or Twitter, "there's nobody to call... your options are limited to submitting an automated online form and hoping an actual human being gets back to you." In his book "Zucked: Waking Up to the Facebook Catastrophe," longtime Silicon Valley investor Roger McNamee criticized tech companies' approach to user service: "The customer service department is reserved for advertisers. Users are the product, at best, so there is no one for them to call." That's by design at most companies that offer free online services. In "I'm Feeling Lucky: The Confessions of Google Employee Number 59," a 2011 book by Douglas Edwards, he wrote that as Google was beginning to grow, co-founder Sergey Brin asked, "Why do we need to answer user email anyway?"

Problems have multiplied as the companies' user bases have skyrocketed. Instagram cited its scale (1 billion users, a spokeswoman pointed out) as one reason all user questions are routed first to an automated system. Facebook, Twitter and Google said they use a combination of humans and automation -- but mostly automation, and in Google's case, forums made up of other users -- to respond to users' concerns. A Google spokesman said the company focuses on making sure user accounts don't get hacked in the first place...
One woman discovered her Instagram account had been hijacked and was now posting pornography. "My grandma and cousins are going to block me..." she complained in a tweet, adding "Thanks for nothing!" And the article also cites another woman in California who says she lost access to more than 600 photos she'd posted on Instagram -- only half of which were backed up. Her response? She created a new Instagram account, this one with two-factor authentication, "and plans to change her password more often."

James Plouffe, a lead security architect at a Silicon Valley security software company, also suggests that if you ever do regain access to a hijacked account, "check the account recovery procedures to make sure they're yours, not your attacker's!"

I wonder what the law says on this

[davidwr]

Would filing a police report for idenitty theft help?

Would a letter from a lawyer demanding the account not be used by anyone else pending a resolution help?

How about a court order?

Granted, those are inconveniet and expensive, but the bad publicity of a few dozen cases of "I had to get a court order to get my account back" in a short period of time would be expensive for the social-media companies too. It might be enough to get them to streamline the procedures to regain control.

For people in the USA and other countries with similar laws that would get YOU arrested for fraudulently trying to "take over" someone else's account by claiming you were the rightful owner, it shouldnt take more than a notarized copy of your driver's license, an affidavit saying the account is mine, and an affidavit saying you are who you say you are for the social media company to at least kick out the imposter. As far as you getting control of the account back, they might insist on some kind of video interview.

For people who are in countries without a reasonably efficient legal system, and for people who - for good reasons or bad - deliberately lied about things like their birth dates when they created the account, well, it's going to be hard to prove you are the rightful owner.

Re:I wonder what the law says on this

[Solandri]

it shouldnt take more than a notarized copy of your driver's license,

Unless Facebook already has a notarized copy of your DL on file, or you somehow linked your FB account with real-life ID info which can be linked via authenticated services (e.g. state DL database) to that DL, how is FB supposed to know that the John Doe on your DL is the owner of the account, and not a John Doe on someone else's DL? If you did the typical thing and provided only the bare minimum of info needed to create a FB account, then it's impossible to "prove your identity" to FB. To prove your identity at a future date, you must have confirmed your identity at a previous date. Submitting proof of your ID after the fact, is like trying to restore from a backup when you never made backups.

I suppose people's reasoning is that since FB is learning and tracking all this stuff about their identity anyway, it would be relatively trivial for FB to confirm that the identity info they've collected on your account profile's matches your identity, not the impostor's. But that opens up a huge liability issue. Since you allowed your account to be hacked, FB is not liable for the consequences. If they start handing back accounts to people who claim to have been hacked, and they screw up and actually take it away from the real owner and hand it over to an impostor, FB becomes liable for the consequences.

The only real way to prevent this stuff while maintaining your anonymity is to create 2FA recovery tokens - unique cipher-texts which can be used to confirm that you were the person who used the account to create the cipher-texts. By creating those tokens at a previous date, you can provide them at a future date as proof that you're the account's real owner. I've done it for my Google and web hosting accounts (I assume FB has something similar; I wouldn't know since I don't use FB). For domains, I register the important ones for multiple years, and set reminders for myself to renew them before they expire (I deliberately picked my birthday as the renewal day, even if it meant I lost a half year of registration fees - a whole $6).