Why Social Media Users Have Trouble Reclaiming Hijacked Accounts

After their Instagram accounts were hijacked, two different users say they contacted Instagram ten times -- and even proved their identity by submitting selfies -- but received no response.

And one Silicon Valley newspaper points out that If your account is hijacked at Instagram, Google, Facebook, or Twitter, "there's nobody to call... your options are limited to submitting an automated online form and hoping an actual human being gets back to you." In his book "Zucked: Waking Up to the Facebook Catastrophe," longtime Silicon Valley investor Roger McNamee criticized tech companies' approach to user service: "The customer service department is reserved for advertisers. Users are the product, at best, so there is no one for them to call." That's by design at most companies that offer free online services. In "I'm Feeling Lucky: The Confessions of Google Employee Number 59," a 2011 book by Douglas Edwards, he wrote that as Google was beginning to grow, co-founder Sergey Brin asked, "Why do we need to answer user email anyway?"

Problems have multiplied as the companies' user bases have skyrocketed. Instagram cited its scale (1 billion users, a spokeswoman pointed out) as one reason all user questions are routed first to an automated system. Facebook, Twitter and Google said they use a combination of humans and automation -- but mostly automation, and in Google's case, forums made up of other users -- to respond to users' concerns. A Google spokesman said the company focuses on making sure user accounts don't get hacked in the first place...
One woman discovered her Instagram account had been hijacked and was now posting pornography. "My grandma and cousins are going to block me..." she complained in a tweet, adding "Thanks for nothing!" And the article also cites another woman in California who says she lost access to more than 600 photos she'd posted on Instagram -- only half of which were backed up. Her response? She created a new Instagram account, this one with two-factor authentication, "and plans to change her password more often."

James Plouffe, a lead security architect at a Silicon Valley security software company, also suggests that if you ever do regain access to a hijacked account, "check the account recovery procedures to make sure they're yours, not your attacker's!"

I wonder what the law says on this

[davidwr]

Would filing a police report for idenitty theft help?

Would a letter from a lawyer demanding the account not be used by anyone else pending a resolution help?

How about a court order?

Granted, those are inconveniet and expensive, but the bad publicity of a few dozen cases of "I had to get a court order to get my account back" in a short period of time would be expensive for the social-media companies too. It might be enough to get them to streamline the procedures to regain control.

For people in the USA and other countries with similar laws that would get YOU arrested for fraudulently trying to "take over" someone else's account by claiming you were the rightful owner, it shouldnt take more than a notarized copy of your driver's license, an affidavit saying the account is mine, and an affidavit saying you are who you say you are for the social media company to at least kick out the imposter. As far as you getting control of the account back, they might insist on some kind of video interview.

For people who are in countries without a reasonably efficient legal system, and for people who - for good reasons or bad - deliberately lied about things like their birth dates when they created the account, well, it's going to be hard to prove you are the rightful owner.

Re:I wonder what the law says on this

[Solandri]

it shouldnt take more than a notarized copy of your driver's license,

Unless Facebook already has a notarized copy of your DL on file, or you somehow linked your FB account with real-life ID info which can be linked via authenticated services (e.g. state DL database) to that DL, how is FB supposed to know that the John Doe on your DL is the owner of the account, and not a John Doe on someone else's DL? If you did the typical thing and provided only the bare minimum of info needed to create a FB account, then it's impossible to "prove your identity" to FB. To prove your identity at a future date, you must have confirmed your identity at a previous date. Submitting proof of your ID after the fact, is like trying to restore from a backup when you never made backups.

I suppose people's reasoning is that since FB is learning and tracking all this stuff about their identity anyway, it would be relatively trivial for FB to confirm that the identity info they've collected on your account profile's matches your identity, not the impostor's. But that opens up a huge liability issue. Since you allowed your account to be hacked, FB is not liable for the consequences. If they start handing back accounts to people who claim to have been hacked, and they screw up and actually take it away from the real owner and hand it over to an impostor, FB becomes liable for the consequences.

The only real way to prevent this stuff while maintaining your anonymity is to create 2FA recovery tokens - unique cipher-texts which can be used to confirm that you were the person who used the account to create the cipher-texts. By creating those tokens at a previous date, you can provide them at a future date as proof that you're the account's real owner. I've done it for my Google and web hosting accounts (I assume FB has something similar; I wouldn't know since I don't use FB). For domains, I register the important ones for multiple years, and set reminders for myself to renew them before they expire (I deliberately picked my birthday as the renewal day, even if it meant I lost a half year of registration fees - a whole $6).

Re:I wonder what the law says on this

[sjames]

Keep in mind, for every method to take an account back, there is a corresponding method to fraudulently take over someone's account.

It wouldn't be that hard to have a friend help you to take over a 3rd party's account.

Customer Service reserved for CUSTOMERS

[gurps_npc]

When you sign up for Social Media, you are NOT the customer, you are the product.

Would you a steak company to have a customer service line for the cattle? No. Only the paying customers get customer service.

If you willing sign up to be the product, do not expect any service except a knife in the front. Not the back, the front.

Re: Customer Service reserved for CUSTOMERS

[spire3661]

You absolutely can operate an Android phone without a google account.

Re:Customer Service reserved for CUSTOMERS

[AmiMoJo]

You are both the product and the customer. They need to keep you happy or you will leave, and then they can't sell your data to advertisers. Unlike cattle you have free will and a choice of social networks, or simply not using Facebook at all.

Best not to over-simplify this if we want to fix it. Also customers have rights so better that we demand them.

Or...

[davidwr]

... someone stole the social media's unsalted password database without being caught and managed to crack my not-strong-enough password.

Or ... I logged in from a new device in a semi-public place and someone shoulder-surfed and saw what I was typing.

OK that last one isn't scale-able but it could happen in places like schools. My guess it that it happens at least once a week for the lulz of it at a middle school somewhere in America.

And she learned nothing...

[Dutch+Gun]

And the article also cites another woman in California who says she lost access to more than 600 photos she'd posted on Instagram -- only half of which were backed up. Her response?

Well, at least she's learned how important it is to regularly back up your...

She created a new Instagram account, this one with two-factor authentication, "and plans to change her password more often."

I... what? No... that's not... sigh...

Do not use cloud services ...

[Qbertino]

... exclusively for anything mission-critical. That includes, of course, social networks.

Do not and never use your real name unless doing a regular online business transaction with trusted companies or in scenarios where you present yourself publicly online as a professional of some sort in an environment you yourself have total control over - such as, for example, an own website.

I've followed these rules for almost 3 decades and taught my daughter to do the exact same. There is no single online account I can't completely abandon or cut loose or migrate away from within a few hours without missing a beat. Anything else is bound to open up a world of pain if shit hits the fan.

The general Nobody’s Home problem

[Applehu+Akbar]

It’s not just social media. So many online sites lack any meaningful way of being contacted if something goes wrong. A company hires developers to set up the site and establish a payments scheme and then seems to forget to hire any back office personnel to take care of customer service. At some point, this will take legislation to enforce standards of policy, an “Internet building code.”

Look at the tales from people whose PayPal accounts have been frozen for reasons they have never been given a clue about. This is a site primarily devoted to handling money. It gets worse from there.