‘What’s going on with your Instagram account?’ reads a text from a friend that I clock just before jumping out of bed and shooting off to Saturday morning yoga.
Blurry-eyed, I open the app to find my usual feed of holiday spam and dog memes has been replaced with a notice:
‘We suspended your account… there are 30 days remaining to disagree with this decision.’
Dumbfounded, I dig a little deeper to understand why this has happened and learn that the problem lies with my linked Facebook account. An email from Meta sent at 5.08am warns me: ‘someone may have accessed your account’, followed by a second at 5.09am stating that my Facebook has been suspended because my page – or ‘activity on it’ – ‘doesn’t follow our Community Standards’.
It immediately became clear – I’d been hacked. And if the emails weren’t proof enough, I’m able to get into my Facebook account and review the four posts that had been published on without my knowledge. Lo and behold, they’re what seem to be terrorist propaganda imagery, going against Facebook’s standards on ‘dangerous individuals and organisations’. They’d even tried to purchase over £1,000 worth of Facebook advertising to boost the visibility of the posts. Thankfully, I didn’t have a credit card attached to my account.
I submit my appeal to disagree with Facebook’s decision and am met with the following message:
‘Check back here for the result: your account is not visible to people on Facebook and you can’t use it.
‘It usually takes us just over a day to review your information, but we have a lot of reviews right now, so it may take longer. If we find your account does follow our Community Standards, you’ll be able to use Facebook again. If we find your account doesn’t follow our Community Standards, it will be permanently disabled and you won’t be able to disagree again.’
As one of the biggest and most powerful technology companies in the world – it might be expected Facebook would be savvy enough to detect that these malicious posts were not published by me but were, in fact, the work of a hacker. For one, the IP address on the posts would have a different location to me, not to mention their nature being very out of character. I’ve been a Facebook member for almost 18 years and during that time only ever posted innocent material (if you can call drunken university nights out that).
However, 24 hours passed and I heard nothing from Meta. A week later, then two; I’m still locked out of Facebook and Instagram.
How the account suspension process on Facebook works:
When a Facebook member posts something that goes against the social network’s community standards, Meta will flag the post(s) in question as potentially harmful and temporarily shut down their account, rendering it unusable and invisible to the outside world.
If the user thinks their account has been suspended by mistake (or, in my case, hacked), they have 30 days to appeal Facebook’s decision before it is permanently deleted. In doing so, users have to provide a photo of identification in the form of a national ID and give a statement declaring why their account should be spared permanent deletion.
It didn’t take long to discover I wasn’t the only one experiencing this. In fact – by the looks of what I’d found on Reddit and the like – it seems to be happening on a huge scale.
Hordes of people around the world are appealing the suspension of their Facebook or Instagram accounts following a hack, and for many, 30 days are passing without hearing a thing from Meta before their accounts are deleted for good – a phenomenon some are referring to as being in ‘Zucker jail’.
Sure, it’s easy enough just to make another Facebook account and start again but, for a lot of people, the most harrowing part is that their accounts have amassed comments, photos and videos over the years that are special, nostalgic and irreplaceable. Some have even lost successful Facebook business pages.
Countless users across the world are in utter dismay over losing content they treasure, such as tagged posts or photo dumps from times gone, or – worse still – interactions with deceased family members or friends that they didn’t have backed up and will never see again.
Something Shannon Evans, 28 from Wicklow, Ireland, knows all too well.
Desperate to retrieve the memories of her late father from her Facebook account following a hack and account suspension, she went as far as paying Meta a visit in person – a last-ditch attempt to get back what she’d lost before the 30-day appeal window was up.
‘I drove to their headquarters in Dublin and told them my story and actually begged them to help me,’ she tells Metro.co.uk.
‘All they did was tell me to go through the Facebook help centre. I explained I had already done everything their help centre told me to do.’
Shannon describes the experience of losing her Facebook account as ‘absolutely devastating’.
‘It will be a year on March 23 that my father passed away. I moved over to the UK from Ireland last year to care for him. I also planned a wedding within just two weeks so he could be there. He made it to my vows, thankfully but sadly, he passed six days later.
‘He was nonverbal due to the type of cancer he had and it was through Facebook Messenger that we contacted each other. He was very witty and used to put little comments on my posts and pictures and I loved it when these used to pop up [in my feed] as Memories.
‘I’m so sad to think these [messages] could be gone forever.’
Amy O’Hara’s account was hacked and her name and photo changed to that of Emily in Paris star Lily Collins. Luckily it appears the card attached to her account had expired so the hacker was unable to buy ads – but she still lost 17 years worth of memories in photos, and all her contacts.
‘It’s heartbreaking and there is no way of contacting Facebook other than legal correspondence by the looks of things,’ she tells Metro.co.uk. ‘I set up a new account to try to see my old one, but if I don’t get that back, I won’t use Facebook again.’
To add insult to injury for Shannon, she was also duped out of more than £500 by a cyber crook masquerading as a security expert that she found online after searching for a number for the Facebook help centre in Ireland. He promised he’d be able to help her recover her account.
‘I couldn’t believe I fell for it, but I was so heartbroken and wanted to get my memories back so much I would have done everything,’ she says.
Shannon is still trying everything in her power to get her Facebook account back before the 30-day deadline.
Steve Moore, 52, from Buxton, had a very similar experience. After his account was suspended following a hack by someone based in Indonesia, he began messaging Facebook and Meta on Twitter each day in a desperate attempt to find a resolution, but failed before the 30-day deadline. His account was permanently deleted.
‘The whole situation has been very distressing,’ he says. ‘I didn’t know what the hacker had done and I had no way to warn friends that I had been hacked.
‘I’m currently going through some personal problems [a separation] and wanted to let friends know. I use Messenger a lot and don’t always have people’s mobile numbers or addresses. There are still people I haven’t been able to contact.’
I couldn’t believe I fell for it, but I was so heartbroken and wanted to get my memories back so much I would have done everything
One of the hardest things for Steve to deal with, however, was the ‘isolation’.
‘I wasn’t a huge Facebook user but I stayed in contact with people,’ he says. ‘With my separation, I felt that a good proportion of my support network was taken away from me.
‘I’ve lost access to photos which I can’t get back. I’ve lost contact details and I’ve lost important conversations. On Instagram, I had a good network of craft people. I’ve lost many of those contacts now.’
Steve believes the biggest problem with Facebook is that it has ‘too many users to care about individuals’. He adds: ‘I don’t feel my case was reviewed properly and I don’t feel there is any community with the Facebook brand to allow discussion of these situations.
‘It’s clear that this situation is happening a lot and I hope they can get some processes to help innocent victims while still targeting the truly malicious users.’
While Steve admits that he didn’t have two-factor authentication enabled on his Facebook account, many other users’ accounts, including mine, were still compromised.
So, how are hackers able to penetrate the accounts of Facebook users, even when they have this so-called ‘more secure’ tool switched on? And what can we do to circumvent attacks like this in the future?
Hervé Lambert, global consumer operations manager for Panda Security, says that while Facebook has implemented various security measures to protect user data – such as encryption, two-factor authentication, and account recovery options – no online platform is completely secure.
‘Two-factor authentication is secure, and we encourage every user to enable it, but it does not render you invulnerable,’ explains Lambert. ‘While such security measures help protect against account hacking, they are not undefeatable, and cybercriminals are well aware of it and can still find ways to bypass them.”
What is two-factor authentication?
Two-factor authentication (also known as 2FA) is an identity and access management security method that requires two forms of identification (a password and a verification code sent via either email or phone) to access resources and data. Many businesses, such as Meta, use 2FA tech across their platforms to ensure their users’ personal information is more secure.
But how are these hackers still able to get around these supposedly protective methods? Lambert says it’s down to them knowing that humans are the weakest link in the chain and aim to exploit that.
‘Usually, they get users to inadvertently provide them with their login credentials using sophisticated phishing and social engineering tactics, such as by posing as a trusted friend or service provider,’ he says. ‘Users then compromise their accounts by clicking on suspicious links, downloading malware, or simply just using weak passwords.’
Will Richmond-Coggan, a data and social media litigation specialist at Freeths, explains a little further.
‘Where the objective is to co-opt a user’s account to post content, it is not always necessary to have the user’s password in order to do so,’ he tells Metro.co.uk.
‘Instead, a seemingly innocent site or phone app asks you to register to use its content and offers you the option to register using your social profile. You then may be asked to grant permissions, which include permission for the app/site to post to Facebook on your behalf. Often this flies completely under the radar, and by the time that unwanted posts are being made on the social platform, you may not even remember that you granted those permissions.’
But who is behind these widespread hacks, and why are cyber crooks targeting everyday people’s Facebook and Instagram accounts?
‘One possibility is that the attacks could be politically motivated, with state-sponsored actors seeking to disrupt democratic processes or spread propaganda,’ says Lambert. ‘Additionally, some hackers may be motivated by financial gain, seeking to use stolen personal information for identity theft or to gain access to financial accounts.’
Richmond-Coggan notes that there are two important points to take away from this.
Firstly, a social network is not guaranteed to be around, or secure, forever. If there is anything that really matters to you (be that contact information, photos or other precious memories) make sure that it is backed up or stored in some other format.
Secondly, be very careful about what other applications or sites you connect to your social profile. Although it can seem convenient, you are potentially creating new avenues of attack which can have very serious consequences. Also consider whether the permissions you are being asked to grant are needed for what you understand an app to be doing, and be wary about granting permissions where you don’t understand their purpose.
Meta: too much power?
Alex Ellis, 36, from Providence, Rhode Island, US, had his Facebook hacked and then permanently deleted, along with his Instagram. He thinks it’s unfair that Meta is treating its users this way, and is concerned it’s a sign the platform has become too powerful for its own good.
‘It is wrong to take away people’s access to their social network when they’ve done everything right and only got hacked,’ he says.
‘And whenever you post about this issue on social media, you are swarmed in the comments by spambots hawking dubious services to help you get your accounts back.
‘This is definitely a symptom of Meta having too much corporate power and a reminder that it needs to be broken up. I hope American elected officials do the right thing and take a big step to limit the power such companies have over our lives.’
After the 30-day mark passed with no change, Alex went ahead and made a new Instagram account – but refused to rejoin Facebook.
It’s also worth remaining vigilant following a hack, as – from what many have seen on Twitter – there are plenty of scammers out there ready to take advantage of those looking to find a resolution after their accounts have been compromised.
Facebook ignored my request for comment for this article and instead provided unrelated information ‘on background’ along with tips on keeping accounts secure, which are of no use to anyone who has already been locked out of their account because of a hack.
Regardless, after submitting my request for comment to the Meta press team, my Facebook and Instagram accounts miraculously came back online within 12 hours. That’s some press privilege right there. It’s just a shame that not everyone who has lost their account as a result of a hack has the same luxury.
MORE : ‘Dishonest and irresponsible’: 25 years on from Andrew Wakefield’s claims against the MMR jab
MORE : Emergency assemblies, letters home and extra staff: how schools are rallying to tackle Andrew Tate