In my previous blog post, I began to tell the March 2023 story of how a hacker took over my Facebook account. If you missed it, I recommend reading Part I at the link before reading Part II. At the end of Part I, I’d left my tale of woe on a cliffhanger after reaching out to the hacker who had gained access to my Facebook account and locked me out.
The hacker had changed the phone number associated with my account before the primary email address. So I’d been notified via email of his real phone number. It had a Nigerian country code, and I’d found the number active on WhatsApp. The location data Facebook had sent me associated with the new primary phone number for my account indicated the hacker was in Southern California using an iPhone 6S. I wasn’t sure if he was actually in California or perhaps in Nigeria using a VPN to obfuscate his location. I was inclined to think the latter, given his iPhone was about eight generations behind. But at that point, it didn’t really matter in practical terms. He was in and I was out. I had fallen for a dumb scam thinking I was talking to a friend I’d known since 1999 when in fact, it was a total stranger.
Weighing the risk he might try and extort or blackmail me against the fact Facebook had locked down my account and he couldn’t see my personal info anyway, I decided to see what would happen if I contacted him directly.
Hackers are used to hiding in the shadows. They intimidate and frighten you from behind a screen. They have no trouble getting into your business, but probably don’t expect you to respond. This hacker probably didn’t realize he was dealing with someone who likes to disrupt the status quo. I realized that for the hacker, though, the hack was not personal. Stealing my account was just the means to an end.
But for the hacked, it can feel incredibly personal. Someone peering uninvited through hundreds of photo albums. Unfettered access to almost 16 years of memories, conversations, and history. And in a practical sense, reputational damage: they can say whatever they want and people will think it’s you, losing your mind! Plus, a loss of ability to contact people I had no other way to reach.
My social media and the connections I had there were mine. I was infuriated and determined to get my account back as soon as I could.
I expected a couple of possible outcomes when I reached out to him.
One, he could ignore me, and then block me without responding. This has happened to me when friends’ accounts have been taken over and I’ve reached out by Messenger to politely ask if the hacker would consider giving them their account back so they could retrieve their photos and memories. No response, then unfriended and blocked. Ouch.
Two, he could respond with profanity, aggression, or demands for money. If that happened, I was going to be hosed. No way was I going down the slippery slope of sending this clown money. But I wasn’t afraid to message him either. (And I did assume it was a him, somehow.) My account had been locked down almost immediately after the hack. He’d probably barely had a chance to dig through my stuff at all.
I was curious on a human level to see what his deal was. If his modus operandi was getting access to people’s accounts in order to impersonate them to their friends and ask for cash and account recovery codes – as he’d done to me through my college friend’s account – my frozen account wasn’t going to be much use to him.
I’ve decided to actually share our real WhatsApp thread in Part II of this post. I started typing it out before because part of me didn’t want screenshots of my chat with the hacker to add to the not-unlimited media library hosting capacity of this site. Then I got over my reticence because (a) this content is as valid and interesting as any other, even though it continues to piss me off, and (b) I think the authenticity of seeing the actual chats vs. an edited, typed-out summary of our conversation adds more interest for the reader. You be the judge. Plus, it’s faster for me.
With that said, I have concealed his phone number and a few other details because I don’t actually have any intent to publicly identify, libel, or harm this person. (More on that later.)
At the end of the day, as you will see, despite the stress this person caused and the lack of accountability he took, he also took some corrective action that he didn’t have to bother with and which greatly helped me – eventually, spoiler alert – restore my account. The bulk of the credit for getting my account back goes to me, of course, not to him. But it would have been much harder for me without his help.
As I said in my prior post, right off the bat the hacker pretended to be… not the hacker. His game of posing as another victim of the hacker, a “man of God,” and a chivalrous male who is good with computer problems were all useful data points for me as I posed as a frustrated (but not desperate) female trying to fix my account. He paused for two minutes after I shamed him with God “seeing all,” as you can see above.
His next offer was to send me the new password. Bingo. By insinuating religious values were something we had in common, I had potentially found a joint interest, and his currency.
He was willing to give me the username and password he had just set up on my account. But unfortunately, there was also two-factor authentication (2FA) set up to his phone and it appeared to be on a 30-second expiry. He would send me the code very quickly. But whether there was a delay in the double-relayed transmittal or something else, I wasn’t able to act fast enough to get in.
All of this, of course, poked a major hole in his contention that he wasn’t the hacker. I left that alone because there was no point in antagonizing him as long as he was willingly cooperating with me. We were working together towards a common purpose. I wasn’t sure what he was getting out of it, other than a power trip. In the back of my mind, I was wondering what concessions he might ask me to make.
There was an uncomfortable feeling of waiting for the second shoe to drop. Was he just messing with me? It did seem like he was truly trying to help. He could have lied about the password, but he didn’t. He could have blown me off on the 2FA, yet he didn’t.
I can’t believe you’re talking to him, my mom said to me the next morning when I staggered out and shared the turn my night had taken.
I’d tell him to go eff himself, one of my friends texted me.
That’s not very diplomatic, I replied. It would feel good for a minute, but where would I be then? I have to play the game to get what I want. More importantly, in diplomacy, sometimes continuing to talk in the absence of any agreement or easy common ground is all you have. I am much more hesitant than the average person to completely close the door on communication. This is what we do. Even when it gets very, very difficult. Much more difficult (with much higher stakes) than this.
I texted my husband to post on Facebook right away and tag me so people would know my account was hacked and not to respond to anything from me there. I took steps to secure my Instagram, LinkedIn, and Twitter accounts, and made similar announcements there.
In parallel, I kept undergoing Facebook’s account recovery process for reassociating my own data with my account. But the hacker, or one of his associates, would remove my email address and phone number more quickly than I could solidify my own access. How were they doing that if my account was locked?
There was also a process for confirming your identity by submitting a scan of your state or federal-issue ID. I used my passport. But that too seemed to lead me in loops. I was going in a never-ending circle without progressing past the identity verification stage and couldn’t seem to make any headway. Then Facebook put a 24-hour moratorium on my attempts.
I tried so many times to get back into my account, I just had to cool it, which was surprisingly agonizing. The hacker assured me that he would not change the password on me in the meantime. Surprisingly, he didn’t. (Couldn’t?)
I continued through my forced digital detox teleworking, spending time with family, and meeting up with different friends after work each day. I ranted about the hack, but I also tried to take it in stride. The real thing that was upsetting me was the fear I wouldn’t get it back, and some relationships would be severed for good.
My husband had to contact some of my old friends on my behalf and have them call my mom’s house or my cell because I was supposed to meet them, but didn’t have any way to contact them once I was locked out of Facebook Messenger. It was all supremely irritating.
My husband was worried about my communication with the hacker, and asked for assurances that I wasn’t being extorted. Only for friendship, in a vaguely creepy way, I told him. I don’t like it, he said. Don’t worry, I’ve got it, I told him.
Slowly, within a couple days, I finally managed to get far enough, fast enough, to take my account back over.
I continued being friendly and polite to the hacker, astonished he had not demanded money while he’d had leverage over me. My plan was to back slowly away and eventually block him on WhatsApp once I was more certain he had forgotten my real name and contact details. That didn’t end up working as easily as I thought it might, because he kept reaching out. I kept him at a distance, kind but not kind enough to encourage. Distant but not distant enough to anger.
I could not explain why, when he had information I wanted – the username, password, and 2FA code for my Facebook account – he didn’t ask me for money then. It would almost suggest he was not really the hacker. But none of the rest of the story makes sense otherwise. He had to have been the hacker.
I could only assume on some level, he felt badly about what he did. Maybe the benefit of helping me or feeling redeemed for helping someone eventually outweighed the benefit he got out of successfully hacking my account. For a long time, I couldn’t really find any other explanation for the way this was resolved.
Postscript
~My friend
When I got my account back, I looked for my friend from college – the one who the hacker had posed as that originally started all of this. Her account was totally gone. I went to our Messenger thread, that went back to the late 2000s. My side of our chats were there, but not hers. I felt deflated. This hacker really had destroyed years of my communication with her. I sent her a DM on Instagram to see if she was OK.
It took several months, but eventually I did hear back from her. She had been off the wagon, as I’d feared, but is now in sober living and recovery. To this day, she never has gotten her Facebook account back, including the memories she had with her deceased husband. She made a new account and we became friends there.
~Good reminders
Human behavior is complex. Good people can do bad things.
People in general lack empathy for things they can’t relate to.
Things that feel personal sometimes aren’t.
It’s possible to fall into a trap even when you generally feel like a smart person.
When somebody wants you to do something quickly, slow down and ask yourself why.
Care and concern for someone else can blind you to red flags you’d otherwise see.
It doesn’t hurt to ask for what you want; all the other person can say is no.
If someone hiding behind a screen isn’t intimidated by you, why be intimidated by them?
Put phone numbers in your phone.
Sometimes it’s good to be off socials for a few days.
Social media companies don’t care about you as a “customer.”
~Disclaimer
I want to be clear that I’m not necessarily recommending people go out and negotiate with people who have hacked them on social media. In some cases, I could see how this could escalate a conflict or open up more avenues of victimization.
Hackers generally cause real damage to the global financial order. Sometimes hackers are very bad individual or state actors. And no matter who they are, it isn’t likely you know them, or can predict what they’re capable of. They are strangers. And talking to strangers, albeit inadvertently, is what started my particular mess to begin with.
When you get hacked, you’re vulnerable. You look around for guidance. You might see checklists of things to do, like ‘notify the platform,’ ‘notify your followers,’ ‘change all your other passwords,’ etc. You probably won’t see things like ‘Hunt down the hacker and relentlessly text them,’ or worse, ‘Send money to a third party who promises to help.’ (That latter thing I didn’t do, obvi.) But I trusted myself as a reasonably intelligent individual to do the correct thing for my situation, and it worked out.
I knew that despite my anger, I could approach our conversation in a neutral (or, at least, calculated enough) way to give negotiation a chance. And if that had gone sideways, then I would have blocked him and struck out on my own.
As it turned out, I used to work closely with someone at Peace Corps HQ who now works for Meta policy development and who could have assisted in restoring my account. I didn’t learn about that until he saw a post I made on LinkedIn after the fact and reached out to me. But it was good to know I wouldn’t have been completely out of luck if the hacker hadn’t cooperated.
~The hacker’s identity, discovered
And there’s something the hacker didn’t know either, when he hacked this stranger. I am very good at finding out a goldmine of information when I need to.
For almost a year, he had a throwaway set of initials and no photo on his WhatsApp profile. I had my real name and photo, because, I am who I am. Eventually, he made a mistake, and I found out his real identity. This led me to his real TikTok, X (formerly Twitter), and Instagram accounts.
I saw his family members, his friends, the inside of his house. I heard his voice. I even saw the phone he probably hacked me from. Probably the most surprising thing of all: he appeared to be only 14 or 15 years old. I took some screenshots, blocked him on WhatsApp, and deleted our thread at last (one year to the day after restoring my Facebook).
I probably won’t do anything with the information because as I said, I don’t actually want to harm him. I’m sure he has his own worries in life. Concerningly, I did not see his mum who he’d mentioned was sick in any of his posts. I wish him the best and that he will use his talents more productively – perhaps helping hack victims recover their social media accounts for pay, rather than hardening into a cynical and uncaring adult who will continue manipulating people for his own entertainment and gains. At the very least, I hope the discomfort of being confronted about what he did, even if he only owned up to it by way of restitution, will serve as a cautionary deterrent in the future. One can hope.
Collecting Postcards 