[HN Gopher] Recovering locked Facebook accounts is a nightmare. ...
___________________________________________________________________
Recovering locked Facebook accounts is a nightmare. That's on
purpose
Author : bookofjoe
Score : 132 points
Date : 2021-10-19 13:54 UTC (9 hours ago)
(HTM) web link (www.washingtonpost.com)
(TXT) w3m dump (www.washingtonpost.com)
| dclaw wrote:
| I spent the better part of 2019 and early 2020 recovering my dead
| dog's facebook account so I could get some photos off of it and
| close it properly. I hadn't used it in like 4-5 years, and had to
| re-purchase the domain name used so I could get emails from them.
| What a nightmare. They treated him like he was a human, and
| wouldn't accept a photo of the dog, his county-registered
| license, or anything else. After trying for over 8 months,
| mysteriously the account got unlocked with no explanation.
| #DeleteFacebook
| nradov wrote:
| Facebook allows pages for pets, but not user profiles.
| hashmymustache wrote:
| People use FB as a photo backup service?
| bluGill wrote:
| It isn't a great backup service, but it is useful. Every day
| they give me a x years ago you shared - normally a picture of
| my kids doing something cute that I forgot about until then.
| Brings a big smile to my face.
|
| You have to be careful how you use Facebook. I've gotten
| aggressive about blocking all from every single group and
| cute kitten post. Facebook is a great way to share pictures
| with my friends and family. For news, jokes, buying/selling,
| and learning about my hobbies it is useless (because the
| algorithm doesn't show me everything). As a rules, if it
| isn't something you wouldn't mark as personal information
| with limited distribution it shouldn't be on Facebook. (this
| also implies Facebook needs high security)
| blaze33 wrote:
| Yes, lots of people have at least some of their photos only
| stored on FB and have no backups, so FB ends up being their
| de facto "photo backup service".
|
| Obviously you should routinely backup your data, yet here we
| are. Last year I noticed that most of the photo albums I
| shared on FB over the years just disappeared. They were not
| hidden by some app setting, nor temporarily unavailable, the
| data dump FB offers has no trace they even ever existed. The
| data was gone. I reported the issue but never got any answer.
| Thankfully I had the original photos on my old desktop. So
| when your data may randomly vanish, do backups, just my two
| cents.
| citizenpaul wrote:
| Same happened to me except I didn't send any ID or pictures or
| anything. I just said I guess I'm done with FB, then got an
| email saying my account was unlocked about 2 months later.
|
| I don't think FB actually has a fraud system outside of "wait a
| long time" so its not worth it to hackers.
| csunbird wrote:
| Why do you have a facebook account for your dog anyways?
| Sunspark wrote:
| So they could be angry at people for not accepting friend
| requests from their dog.
| sithlord wrote:
| Because they wanted to? Not sure why it matters.
| tinus_hn wrote:
| Is it even allowed by the terms of service to create
| accounts that are not for humans?
| inetknght wrote:
| Once upon a couple decades ago, Facebook's terms of
| service didn't require you to be a human.
|
| And even if you're not a human, how would Facebook prove
| it?
|
| And even if Facebook could prove that you are not human,
| what right do they have to deny you what they clearly
| claim is yours ("your" photos)?
| tinus_hn wrote:
| If the terms of service don't allow you to create a
| Facebook account for a dog, is it reasonable to expect
| them to accommodate recovery when you do so anyway?
| dclaw wrote:
| Well, that wasn't always the case. If they change the
| terms of service to disallow having a non-human account,
| that doesn't change the fact that it still exists. By the
| time I deleted my own personal facebook account, I hadn't
| used the dog account in years anyway. It only became an
| issue when the dog died. Also, I did nothing wrong to
| lock the account, it was their idiotic methods that
| caused the issue, not the fact that the account was
| actually for a dog.
| inetknght wrote:
| > _If the terms of service don't allow you to create a
| Facebook account for a dog, is it reasonable to expect
| them to accommodate recovery when you do so anyway?_
|
| First, if the terms of service didn't have any exclusion
| against a dog then absolutely yes it's reasonable to
| expect them to accommodate recovery when you do so.
|
| Second, if the terms of service explicitly state that you
| own anything then is it reasonable that they deny you
| your owership? We're talking about HUMANS here. If a
| business states that you are not permitted to enter their
| building but you do so anyway, and in doing so you lost
| your wallet, then is it reasonable to expect them to
| return it to you? Yes it absofuckinglutely is. This is no
| different whatsoever.
|
| Third, terms of services are not a contract because
| nobody reads them. A contract specifically requires that
| both parties understand and comprehend the terms of the
| contract. Websites provide services despite the fact that
| 99% of people do not understand the terms presented.
| You're deluding yourself if you think it's reasonable to
| think that everyone fully understands "Facebook is not a
| place for pictures of my dog".
| marcosdumay wrote:
| Looks like it's to post pictures of the dog.
|
| Why shouldn't one crate an account for a dog?
| WarOnPrivacy wrote:
| Dogs are Facebook's least toxic posters.
| marcosdumay wrote:
| On an unrelated thought, it used to be that on the
| internet nobody knew you were a dog...
| markjenkinswpg wrote:
| https://stallman.org/images/dog.jpg
| TheChaplain wrote:
| Friend of mine have an IG account for their kitten, and they
| post in a form of a journal from the cats perspective.
|
| Might seem silly to some and only have two followers but they
| have fun and it doesn't harm anyone.
| kibwen wrote:
| In a long-lost age, the internet used to be for fun. In 2006
| the guys in our dorm made a Facebook account for the
| decorative plastic pumpkin that we drank beer out of.
| kstrauser wrote:
| I'm out. I'm currently running facebook-delete to completely
| purge my account of all content. After a couple of weeks, I'll
| deactivate it. After a couple more, I'm deleting it. I want
| nothing more to do with that company in any way.
|
| Before someone brings up Oculus: I don't care. It's dead to me.
| Any technology that _requires_ me to have a FB account might as
| well not exist in my world.
|
| (BTW, `facebook-delete -rateLimit 40000`, ie a 40 second wait
| between actions, is what it finally took to run without hitting
| rate limits and stopping after removing a few actions. I'm
| leaving it running in tmux until it's finished.)
| 908087 wrote:
| Feed them a bunch of bullshit data before you leave. Join
| groups for things you aren't interested in, and like / click
| ads for things you don't care about.
| zepto wrote:
| Where do I find 'facebook-delete'? Googling didn't yield
| anything obvious.
| djmips wrote:
| I assume it's this. https://github.com/marcelja/facebook-
| delete
|
| Found with Googling. ;-)
| Sanzig wrote:
| I did the account nuke a few months ago. Felt great.
|
| The only social media accounts I still have are twitter (locked
| down account, never post, use it to follow a few local
| businesses and local public figures), HN, and Reddit.
|
| I'm also getting pretty close to pulling the plug on Reddit,
| the site feels somehow even _more_ toxic and polarized than it
| did years ago. Although, that 's probably also partially a
| function of me growing up and maturing.
| BeFlatXIII wrote:
| IMO, the increased toxicity of Reddit is due to user base
| growth. Much worse content used to be openly allowable on
| Reddit, but the users who posted that stuff were more content
| to stay in their hate holes and leave the rest of the site
| alone.
|
| Unfortunately, even the small subs that are just as good as
| the Reddit of old still have a time bomb of when the
| subscriber base grows to the point that the mods can't stop
| the user base from spamming irrelevant IRL political
| discussion in the comments.
| kstrauser wrote:
| I use to be really active on Twitter but now keep it around
| mainly to shame bad customer service. I definitely wouldn't
| follow me anymore.
|
| I'm really torn on Reddit. It still has lots of good
| communities, but it's so easy to pop over to something mean-
| spirited to get a little "I'm a superior person!" endorphin
| rush. I don't need that in my life.
|
| I still have and enjoy a Mastodon account. It feels like
| Twitter, but more chaotic in a good way, and with people
| being on the whole much nicer to each other.
| shoulderfake wrote:
| Not to mention the speech policing going on in reddit...its
| basically useless now since you cant say what you think.
| robotmay wrote:
| I've been wanting to delete Facebook for years but my partner
| convinced me to keep it - but now I haven't even logged in in
| a year and nobody noticed, so I feel like I can get away with
| it now!
|
| Reddit and Twitter I already nuked last year. Trying to think
| of other things I can go and delete now, as it's quite
| cathartic.
| Misdicorl wrote:
| Depending on what you mean by a few years ago (perhaps
| five?), you might just need to re-curate your subs.
| Communities hit big problems once they get too big that are
| fundamentally hard to manage. Drop your big communities and
| try to find the replacement that's much smaller
| TheJoYo wrote:
| Using a third party app like Infinity for Reddit lets me
| subscribe to subreddits anonymously.
|
| Reddit has been read-only for me since the Digg migration so
| I lose nothing and give nothing.
| ljm wrote:
| I wish I took the scorched-earth approach to deleting my FB
| account as well as trusting GDPR.
|
| But there's still whatsapp and that now plugs into FB, and
| there's no longer an evolution to SMS and MMS, a way to message
| purely by having a phone number, no matter what account you
| have.
|
| You can't opt out of this except by going totally off the grid.
| KennyBlanken wrote:
| Is there any proof that "deleting" something on Facebook does
| anything other than set a flag along the lines of "doNotShow"?
| MerelyMortal wrote:
| I would like to know too, but how does one prove that?
| kstrauser wrote:
| Not that I know of, although CCPA may have something to say
| about that. However, I think of it like symbolically crushing
| a final pack of cigarettes. It's a turning point. Even if FB
| retains my old data, it's almost certain that I can't
| personally restore it. If I ever get tempted to go back, that
| takes away a lot of the motivation: why would I start over
| today with a blank Facebook account?
| saddlerustle wrote:
| The last published DPC audit found that it does [1]. There's
| really no reason to subject themselves to huge fines and lie
| about it when an insignificant fraction of facebook users
| delete anything.
|
| [1] https://web.archive.org/web/20171218060100/https://www.da
| tap...
| mttddd wrote:
| anecdotally from a few folks I know who work there it does
| get completely deleted after a month or two I believe. Like
| you said between GDPR, the FTC settlement and just general
| bad press they actually take deleting data pretty seriously
| Sunspark wrote:
| I am skeptical. The reason is because I worked for a bank
| that had a policy of deleting data after 7+ years. The
| thing is, a number of database tables were just simply
| removed from the index but still existed and if you knew
| the name of the table you could continue accessing them.
| Likewise, all the tape backups continued to exist, they
| weren't shredded and this was proven when someone in IT
| somewhere screwed up and restored my team's network drive
| with an image from 10+ years ago. It was interesting
| poking around to see what files were on it from before
| anyone on the current team was a member, but that
| shouldn't have happened. So, if a multi-national bank was
| acting this way, why would FB be any different? They are
| so large now, fines are just background noise and they
| have to be caught to be fined.
| rpastuszak wrote:
| Not doing so would be quite risky from GDPR perspective.
| Nextgrid wrote:
| But they already breach the GDPR on so many levels.
| YetAnotherNick wrote:
| Is there any other benefit in having account deleted vs just an
| inactive account(default case for the majority)? They don't
| stop tracking you based on whether you are logged in or not.
| txsoftwaredev wrote:
| I would imagine if enough people made that choice it would
| eventually come up in a shareholder meeting as it would
| affect their active number of users. I'm not sure how they
| report this if you just don't use your account for a long
| period of time.
| treesknees wrote:
| During the start of the pandemic/lockdown in the US, my 90 year
| old grandfather was locked out of his Facebook account. He
| doesn't post or add friends, literally only uses it to play slot
| and casino games. Turns out his password was compromised and
| someone had gotten in and changed the name/profile and had been
| spamming and scamming people on FB marketplace. He hadn't noticed
| because he never went onto a regular FB page, he only clicked
| into it from offer emails from his games.
|
| It was tough because at the time I couldn't go to help him in
| person. And even when I finally could, it took months of waiting
| and even contacting an old college roommate at FB to help get it
| unlocked. It was probably 8 or 10 months later that he finally
| received an email and could go reset his password.
|
| I really wish these multi-billion dollar companies would at least
| staff a helpdesk to field these basic issues. When these "free"
| services lock you out, you're basically left with yelling at what
| feels like a wall trying to get help.
| ilamont wrote:
| _When these "free" services lock you out_
|
| They may be "free" to use, but Facebook is making real money
| off of every account, certainly enough to fund human help for
| critical issues like this.
| judge2020 wrote:
| A big factor for not doing that (besides the cost of employing
| a helpdesk for every language that Facebook is used in) is that
| the helpdesk just becomes another vector for malicious account
| takeover. If you put it there, you're going to have sob stories
| about people who made their account years ago but don't have
| the old password, don't have access to the email, don't
| remember what they posted, and yet will cry, expecting the
| human on the other end to give their their FB account back -
| and if they can do that, so can a malicious actor trying to get
| into random peoples' accounts to scam then on Marketplace[0] or
| what have you.
|
| 0: https://news.ycombinator.com/item?id=28918834
| rectang wrote:
| I understand the business factors that require initial
| account creation to be frictionless, and so why proof of
| identity must be weak, but why can't account recovery offer
| an option where you prove your identity indisputably?
|
| For example, some sort of physical storefront (possibly run
| by an independent company), where you go and say I am so-and-
| so and here's my ID and please take my picture and my
| fingerprints so that if I'm scamming I'll be easy to catch
| and here's twenty bucks for your trouble.
|
| I'd rather do that then spend weeks or months locked out,
| uncertain, and talking to a wall.
|
| Privacy advocates won't be happy, but Facebook, Google, etc.
| don't have the same motivations as privacy advocates.
| pxeboot wrote:
| That is essentially what mobile phone carriers do, yet
| "customers" provide fake/stolen IDs all the time to perform
| sim-swap attacks and obtain financed phones they never plan
| to make a payment on.
| saddlerustle wrote:
| Facebook does sometimes ask for a scan of government ID in
| the account recovery flow. Unfortunately the cost of
| operating the ~100,000 storefronts required to be nearby a
| significant fraction of its users would be absurd compared
| to the benefits.
| gjs278 wrote:
| it could be as easy as going to a notary
| treeman79 wrote:
| That is a good argument. But what is with not having a way to
| put recovery email/phone back to what it was, literally
| minutes after it was changed by a new login in another state.
| LocalH wrote:
| At this point, it's by design. They'll claim the opacity is
| needed "to prevent malicious actors from probing the system and
| finding the process's weaknesses", whereas my opinion is that
| they do this to remind people "who's in charge".
| MandieD wrote:
| Somewhat tangential, but I, and my elderly relatives on the
| other side of the country and Atlantic, would love for me to
| have the same level of optional supervision for their accounts
| that I automatically have for accounts associated with my
| child.
| numpad0 wrote:
| I'm thinking there must be a physical open door somewhere in
| Eastern or Southern Europe, which malicious individuals can just
| walk in and vandalize accounts. It's happening too often with too
| much ease and adversaries don't look or sound geniuses like
| Feynman brought up wrong.
| hansolosays wrote:
| my IG account was stolen (no change email notification)... I had
| 2 factor on the email and IG and there is no way for me to even
| follow up on it...
| bookofjoe wrote:
| https://archive.ph/86Cgc
| hihungryimdad wrote:
| Recently my facebook was locked for "Suspicious activity". The
| only reset option was to reset by email, but I no longer had
| access to that email account (this is my failure, I knew I
| didn't, but never updated).
|
| After a few days of trying filling out all sorts of weird forms
| on facebook that went most likely no where I came across an older
| reddit thread that says to try and go through Oculus.
|
| Filled out a trouble ticket saying that when I tried to link my
| Oculus account with facebook that facebook had appeared to lock
| my account due to "Suspicious activity". They asked for my
| facebook information and for a picture of my Oculus' serial
| number or proof that it had been purchased and being shipped.
| Whoops, didn't have either. My friend on the other hand had a few
| and was gracious enough to send me his serial number, that did
| the trick.
|
| Oculus said someone from facebook would be in contact within a
| week. That still hasn't happened (Been 6 weeks now). BUT, after
| approximately 3 days my account recovery options changed and I
| could choose 5 of my friends to unlock my account. Viola, I was
| in.
|
| Not sure if it was spamming some of the "unused" forms or going
| through Oculus. But if you are desperate a friend with an Oculus
| might just save you.
| ews wrote:
| I lost my instagram account twice. No explanation. Just they were
| closed for 'security issues' - I sent over 10 emails with
| personal pictures asking FB to revert that decisions. Nothing,
| not even a reply.
|
| Seriously, I am out. I didn't even bother to open a new one.
| Communitivity wrote:
| This is why we need SelfSovereign Identity (SSI), which is really
| a buzzword for the concept of 'A user should own and fully
| control their digital identity and digital content, which
| requires decentralized identifiers'.
|
| SSI is an interesting approach that has been slow to build up
| steam, but there are a large number of people developing it. It
| has some bumps and warts to work out still, but overall I think
| it's a workable technology, and definitely better than what we
| have now.
|
| For more information see https://en.wikipedia.org/wiki/Self-
| sovereign_identity and https://tykn.tech/self-sovereign-identity/
| 34g34vb34v3 wrote:
| Microsoft is using Bitcoin's network at an attempt to solve
| this problem: https://identity.foundation/ion/.
| faeyanpiraat wrote:
| From their FAQ: "Just like Sidetree ION is open source.
| Microsoft has been an important sustaining sponsor, but no
| more than that."
| ylee wrote:
| I don't have an Oculus Quest 2 but have heard good things about
| it. But I can't get one because my Facebook account was shut down
| without explanation in 2019. Despite its age (15 years) I barely
| used it, let alone for anything "controversial", but did
| regularly log into it. I repeatedly tried to verify my identity
| by submitting an image of my driver's license, without any
| response.
|
| If a Facebook employee is reading this ... I don't want to create
| a fake new Facebook account (which would be against the TOS,
| anyway). I want my own back.
| YetAnotherNick wrote:
| Just create a damn account. I don't think their TOS would cover
| people locked out of their account by facebook's fault.
| treeman79 wrote:
| It's not a nightmare it's impossible. Source, a sobbing wife who
| lost 15+ years of photos. Thankfully I have most of the import
| ones stored elsewhere.
|
| Apparently for her and her friends Facebook was the "safe" place
| to store photos.
|
| Only 20 minutes after she got an email saying new login and it
| was to late. They had changed recovery info and no way to change
| it back. Only thing we accomplished was disabling the account.
|
| Almost all of her friends have lost their accounts.
| gspencley wrote:
| My key takeaway from the Facebook "whistle-blower" is how lax
| Facebook's internal security is. Many have pointed out that
| Frances Haugen was essentially a nobody within the
| organization. A mid-level employee who didn't make key
| decisions or have particularly privileged account-level access.
| She said herself that ANY employee could have copied the same
| documents she did.
|
| If Facebook is that lax with their own internal documents then
| I have to assume that their user account security is no better
| than at any company I've worked for as a software developer -
| which is to say completely non-existent.
|
| As far as I'm concerned, anyone who uses Facebook, Instagram,
| WhatsApp or any other FB-owned company is as good as making all
| their information, including DMs, public.
| ahahahahah wrote:
| That's a really dumb takeaway. What does the openness of
| documents like that within the company possibly have to do
| with the company's security? How do you even connect those
| two? Your theory is that a company that chooses to be open
| among employees and not lock down simple research documents
| somehow must be bad at security?
| djmips wrote:
| The anecdata mentioned, that all the software companies
| they have worked for have poor internal security struck a
| chord with me even if it can be argued it's just anecdata.
| And if you look at facebook's checkered history of security
| it's not a good track record. Or how about the fact that
| you can still to this day post public links to private
| photos?
| unicornporn wrote:
| Anything outside normal behavior can trigger these automated
| systems. Trying to withhold important personal data will make you
| an unimportant user in the eyes of these hungry giants and it
| _will_ trigger the lock out hell spirals sooner than later.
|
| I use Instagram only in a separate container in Firefox. I have
| no phone number connected to it. I tried to manually delete my
| pictures the other week. Got half way through before being locked
| out for suspicious activity. Message said account would be
| deleted if I didn't give them my phone number.
|
| So, I bought a prepaid SIM card and proceeded with SMS
| verification. They told me I had to wait 24 hours. After 24 hours
| I got a message saying I was still suspicious and had to send a
| picture of myself holding a sign with my username. You could
| mistake this process for a reddit gone wild submission.
|
| I'm done with Insta. Went ahead and deleted my FB account too,
| while I could still get in.
| akomtu wrote:
| You should've sent them a belieavable stock photo with
| photoshopped sign.
| egberts1 wrote:
| 12yo Facebook account got deleted this way.
|
| Asked me for my phone number. No way.
|
| Goodbye, Facebook.
| mrguyorama wrote:
| I had my facebook account taken over a couple months ago. The
| person used my compromised password to log in to facebook.
| Facebook sent me an email saying "hey this doesn't look like you,
| here's a '2fa' code to put in before you can log in".
|
| Then, despite my email account not being compromised, such that
| the person COULD NOT have gotten that code, facebook let them in
| anyway, let them change my backup phone number and email
| accounts, take off my phone number and email accounts, change my
| password, and fully take over my account.
|
| What the hell was the point of that "code" if facebook let them
| in anyway? As the account no longer has my email address or phone
| associated with it, I can't recover it through those channels. I
| got the the point where you can send in a selfie with your ID,
| sent that, and got an email (with zero "case ID" or communication
| channel) that said verification normally takes 2 days. It's been
| over two MONTHS. So I guess there's nothing I can do?
| pawelwentpawel wrote:
| I'm in the same position with Instagram. Been sending them
| selfies with codes forever now with completely no response. My
| account had a large following and I can't even seem to start a
| new one with the same username. Process of account retrieval is
| like talking to plants - you kinda know they're there but
| they're actually not. It makes sense though - they have
| colonised enough internet by now not to care about a couple
| mere users. If you loose access to your account you're likely
| not to get it back.
|
| On the bright side though, I don't scroll that much anymore.
| Maybe they lost a couple $ on advertising by loosing a user but
| I have regained a small portion of my time I spent there. The
| only real drawback is that I kept in touch with some people via
| Instagram only.
|
| A situation like this makes you realise that an account in any
| of the FB owned companies can be taken away at any moment and
| you shouldn't get attached to it too much nor make it a single
| point of failure in your business / creative strategy. I'd
| advice to:
|
| - Keep a copy of your data (contacts, content posted etc.) and
| try to diversify as much as possible.
|
| - When using Facebook auth on 3rd party websites, make sure to
| have another method of authentication available to avoid
| getting locked out.
|
| - Try to get phone numbers of important contacts so in the
| worst case you can contact them via iMessage / Signal /
| Telegram.
|
| - If you have a large following, try to stream some of the
| traffic to other platforms too. If loosing one account means
| loosing your entire audience you're risking a lot.
|
| In short - have a backup.
| throwawayboise wrote:
| I would say a better plan is to use maybe use social media as
| a convenience but don't become so invested that you can't
| just walk away. You should consider the accounts to be
| disposable, put in the minimum amount of personal info and
| don't use them as your authentication for anything else.
| zht wrote:
| also I'm sure many at HN know this but the same applies to
| the Google accounts
| fighterpilot wrote:
| Yep got locked out of Google for no reason and it was
| impossible to get in touch with a human. Extremely rage-
| inducing. There needs to be far better consumer protection
| on a government level with big tech (mostly Google and
| Twitter/FB, not so much Amazon or Netflix or Apple). Some
| of this is just unacceptable. I was reading one case of a
| person who had their name/image associated with a convicted
| rapist on Google and they couldn't get hold of a human to
| have it fixed. This kind of thing just shouldn't be allowed
| and there needs to be large fines going out. The onus
| should not be on a small time individual to fork out tens
| of thousands of dollars on a lawsuit.
| pueblito wrote:
| Am I being foolish using 'Sign In with Apple' on sites?
| thephyber wrote:
| I don't think any of us know how much risk we have due to
| automated rules created by these high scale tech
| companies with very small customer service departments.
| exolymph wrote:
| Yes. Apple may be more trustworthy than Google, but
| you're still needlessly giving them opportunity to screw
| you (most likely by accident or through random error).
| Use a password manager and set up actual accounts.
| crooked-v wrote:
| Maybe, though by comparison to Google one of Apple's
| pretty well-known selling points is having actual support
| by real people available at all times.
| atatatat wrote:
| The Fappening allegedly occurred in part because of lack
| of rate limiting of Find My iPhone API auth.
|
| Take that as a grain of salt.
| WorldMaker wrote:
| It's also a reason to assume that they've corrected that
| by now, if you want possible silver lining.
| [deleted]
| twobitshifter wrote:
| 2fa isn't as useful as people had thought it would be and
| actually causes more problems for people like me with secure
| passwords.
|
| Probability of having my 24 alphanumeric university alum
| account pw hacked:
|
| |
|
| Probability of me losing/destroying my phone/not remembering
| the right 2FA app/having DUO mobile fail:
| ||||||||||||||||||||||||||
| tpmx wrote:
| Regarding the password hacking probability: Did you really
| account for the malware/keylogging risk properly?
| citizenpaul wrote:
| Funny I had something similar happen. Though they didn't change
| my email. Once FB started asking for me to send gov ID I just
| said forget this.
|
| About two months later I got an email saying my account access
| had been restored. With me doing NOTHING. It seems FB is simply
| using some sort of automated too long for hackers to care about
| or be profitable system to monitor account fraud.
| mroche wrote:
| Had a similar thing happen to me back in 2019, but it never
| got resolved: https://news.ycombinator.com/item?id=24954602
|
| I'm beyond caring at this point, but if for whatever reason I
| get Messenger stripped I'm in for a fun time to try and
| communicate with some of my west coast friends' group chats.
| cwkoss wrote:
| I wonder if it there are facebook internal 'admin' type
| employees that are stealing accounts in this way.
|
| That would be a way to get the code. Wouldn't be too surprised
| if facebook was skimping on oversight.
|
| Do you know what the behavior of the account was after
| takeover? Was there a clear monetization strategy (ex posting
| links, sending spam messages, etc)?
| notyourwork wrote:
| Perhaps coincidence, same thing happened to me. I was able to
| recover my account but the entire thing was head scratching.
| Granted I don't use my account but I also didn't want someone
| to have it and turn it into a shill for nefarious purposes.
| clairity wrote:
| that's actually a blessing in disguise. you have somebody else
| poisoning your personal information without you having to do
| anything. i haven't logged into facebook (or instagram or
| gmail) in at least a couple years. i hope the same has happened
| to my accounts.
| rectang wrote:
| If you're designing an OAuth login system, it's important to
| consider what happens to your user when they are locked out by
| their provider and can no longer "Continue with Facebook" or
| "Continue with Google" to use your service.
| SkyPuncher wrote:
| Not really. Most of these services tie back to an account (most
| with an actual email address).
|
| Should a SSO provider ever stop working, you simply "reset
| their password". Send them a message to validate ownership of
| the account, then ask them to set a password OR authenticate
| with a different SSO provider.
|
| ----
|
| These are the types of threats engineers _love_ wasting time
| analyzing.
| rectang wrote:
| > _Most of these services tie back to an account (most with
| an actual email address)._
|
| Indeed, that design helps address the problem. But it also
| has implications for signup flow as you now need an email --
| which is why I'm advocating that engineers "consider" the
| issue.
|
| > _These are the types of threats engineers _love_ wasting
| time analyzing._
|
| Sheesh, where's that hostility coming from?
| ashtonkem wrote:
| I specifically avoid using oauth to reduce the impact if google
| bans me for whatever reason.
| rectang wrote:
| I do the same with my personal accounts. With work accounts
| that use GSuite, though, I've been mostly using Google for
| SSO.
|
| Expecting ordinary users to make these kinds of decisions is
| unrealistic.
| b0afc375b5 wrote:
| It's basically a single point of failure (SPOF) and with
| proper risk assessment, one ultimately concludes to use
| email/password whenever available.
| user3939382 wrote:
| The other day I wanted to switch Trello from "sign in with
| Google" to an email/password. The first step in the process was
| "To verify you before completing this action, please provide
| your Atlassian password". I don't have one, I'm signing in via
| Google...
| Sanzig wrote:
| My Spotify account was originally created using a Facebook
| link. I eventually switched over to an email/password before
| I deleted my Facebook account, but my Spotify account name is
| an annoyingly long gibberish hash value that I can't change
| (I assume it's something like a hashed value of my Facebook
| UID but I've never bothered to check).
| monkeybutton wrote:
| My Spotify account created with a regular email has the
| weird hash username too. After updating the app its a coin
| flip whether or not the UUID looking string is what I see
| displayed. I don't understand how they can make such a
| large and complex service but not get user's display names
| correct?
| Sohcahtoa82 wrote:
| > Social media companies, meanwhile, juggle customer service and
| account security as they try to make sure fraudsters don't abuse
| recovery tools to wrongfully gain access. Some of this could be
| solved with additional security checks,
|
| This doesn't jive well with:
|
| > Getting in touch with a human is rare.
|
| It needs to be easier to deal with a human.
|
| But I understand why it's hard to get to a human. Having humans
| in the loop is expensive and doesn't scale when you have a user
| count measured in the _billions_.
|
| But you know what else doesn't scale? Trying to get all of your
| users to understand basic account security. Not enough people are
| using password managers. Not enough people are using 2FA. Too
| many people are falling for phishing campaigns and responding to
| silly posts like "Your porn name is the name of your first pet
| and the street you grew up on" and giving away the answers to
| security questions.
| ranguski wrote:
| The major reason, I have an account isnt so that someone could
| impersonate me there, they could support the impersonator. And
| leave me hanging, if things turn out bad.
| arprocter wrote:
| I ended up in the fun position of not being able to get into my
| Facebook account, and the only recovery options were 'text a
| number you haven't used in years, or ask this random selection of
| people you no longer have contact with to confirm you are you'.
|
| It turned out logging into Spotify some how re-enabled my access
| - my only guess is because I had a Spotify account before they
| were under the Zuck umbrella it somehow grandfathered me in
| detritus wrote:
| Spotify?
| arprocter wrote:
| Yep - I guess they are linked to Facebook, so getting into
| one unlocked the other one?
|
| Didn't really make much sense, but I was very glad to get
| back into my account to chat to some old friends mid-pandemic
| nikolay wrote:
| Of course; we own have experienced this already! Some of my
| friends create new accounts - I have friends with 5+ profiles!
| And this is very convenient for Facebook as they report "new"
| signups! Unfortunately, it makes their content less valuable. For
| example, tagged photos, comments, etc. is now spanned thru more
| than one profile. I've been restricted multiple times and their
| pages to dispute give me a generic error every time I try - this
| is on purpose, too.
___________________________________________________________________
(page generated 2021-10-19 23:01 UTC)