I had my facebook account taken over a couple months ago.
The person used my compromised password to log in to facebook. Facebook sent me an email saying "hey this doesn't look like you, here's a '2fa' code to put in before you can log in".
Then, despite my email account not being compromised, such that the person COULD NOT have gotten that code, facebook let them in anyway, let them change my backup phone number and email accounts, take off my phone number and email accounts, change my password, and fully take over my account.
What the hell was the point of that "code" if facebook let them in anyway? As the account no longer has my email address or phone associated with it, I can't recover it through those channels. I got the the point where you can send in a selfie with your ID, sent that, and got an email (with zero "case ID" or communication channel) that said verification normally takes 2 days. It's been over two MONTHS. So I guess there's nothing I can do?
I'm in the same position with Instagram. Been sending them selfies with codes forever now with completely no response. My account had a large following and I can't even seem to start a new one with the same username. Process of account retrieval is like talking to plants - you kinda know they're there but they're actually not. It makes sense though - they have colonised enough internet by now not to care about a couple mere users. If you loose access to your account you're likely not to get it back.
On the bright side though, I don't scroll that much anymore. Maybe they lost a couple $ on advertising by loosing a user but I have regained a small portion of my time I spent there. The only real drawback is that I kept in touch with some people via Instagram only.
A situation like this makes you realise that an account in any of the FB owned companies can be taken away at any moment and you shouldn't get attached to it too much nor make it a single point of failure in your business / creative strategy. I'd advice to:
- Keep a copy of your data (contacts, content posted etc.) and try to diversify as much as possible.
- When using Facebook auth on 3rd party websites, make sure to have another method of authentication available to avoid getting locked out.
- Try to get phone numbers of important contacts so in the worst case you can contact them via iMessage / Signal / Telegram.
- If you have a large following, try to stream some of the traffic to other platforms too. If loosing one account means loosing your entire audience you're risking a lot.
I would say a better plan is to use maybe use social media as a convenience but don't become so invested that you can't just walk away. You should consider the accounts to be disposable, put in the minimum amount of personal info and don't use them as your authentication for anything else.
Yep got locked out of Google for no reason and it was impossible to get in touch with a human. Extremely rage-inducing. There needs to be far better consumer protection on a government level with big tech (mostly Google and Twitter/FB, not so much Amazon or Netflix or Apple). Some of this is just unacceptable. I was reading one case of a person who had their name/image associated with a convicted rapist on Google and they couldn't get hold of a human to have it fixed. This kind of thing just shouldn't be allowed and there needs to be large fines going out. The onus should not be on a small time individual to fork out tens of thousands of dollars on a lawsuit.
> I was reading one case of a person who had their name/image associated with a convicted rapist on Google and they couldn't get hold of a human to have it fixed.
Suing Google apparently does the trick in my country. Google fails to respond? Police shows up at their local office, arrests some executives and makes them 100% available for comment.
I wonder why the US doesn't do this. Tarnishing an innocent person's reputation by associating them with rape they didn't commit is obviously criminal. They MUST fix it. Doesn't matter how much it costs them either.
They also get plenty of lawsuits over images in the search results. Lawsuits over celebrity nude photos have made the news before. They were removed. A local Facebook executive was also detained after the company failed to disclose the contents of encrypted WhatsApp messages to drug trafficking investigators. To me this was major proof that WhatsApp wasn't lying about its end-to-end encryption.
> The onus should not be on a small time individual to fork out tens of thousands of dollars on a lawsuit.
Agree. Government should always provide free lawyers really. Not just for murder cases. Otherwise, only the rich will ever go to court and seek justice.
Last I checked Facebook/Instagram/Gmail were free. If this had happened to someone with a paying Google Workspace account I'd understand but I hardly doubt willingly signing up to a free service grants you any extensive rights.
It's not really free when I'm paying via advertising revenue. It's just indirect payment. I don't see a fundamental difference between paying $20/year and contributing $20/year in ad revenue.
Anyway the laws I was proposing wasn't so much for free account closure, it was more for things like false search results, impersonation, account hijacking. These amount to defamation and psychological abuse and these companies are allowing it to happen without providing any human customer service fix.
Yes. Apple may be more trustworthy than Google, but you're still needlessly giving them opportunity to screw you (most likely by accident or through random error). Use a password manager and set up actual accounts.
I don’t think any of us know how much risk we have due to automated rules created by these high scale tech companies with very small customer service departments.
Funny I had something similar happen. Though they didn't change my email. Once FB started asking for me to send gov ID I just said forget this.
About two months later I got an email saying my account access had been restored. With me doing NOTHING. It seems FB is simply using some sort of automated too long for hackers to care about or be profitable system to monitor account fraud.
I'm beyond caring at this point, but if for whatever reason I get Messenger stripped I'm in for a fun time to try and communicate with some of my west coast friends' group chats.
These behemoths - Facebook, Twitter, Google [1] - are running businesses where scale matters and cost saving is the supreme goal. You, as an insignificant normal user, is, well, just insignificant. There’s no incentive for them to invest in infrastructure where cases like yours can be dealt with.
It’s like the game that you can never win. So the only way to not be losing is not playing.
[1] I’ve always been able to reach a human being at Apple, so far, so I didn’t mention them. Even for help with out of warranty devices. That’s why the recovery/backup email with my domain registrar and mail host is my @icloud.com email. Earlier it was my Gmail account.
Right now my Gmail account is used in places where I even suspect I’ll get spam. I open it only when I am expecting an email i.e movie/travel ticket booking etc.
Though I’m not really sure what happens to this @icloud.com email if I own zero Apple devices at some point?!
I wonder if it there are facebook internal 'admin' type employees that are stealing accounts in this way.
That would be a way to get the code. Wouldn't be too surprised if facebook was skimping on oversight.
Do you know what the behavior of the account was after takeover? Was there a clear monetization strategy (ex posting links, sending spam messages, etc)?
Perhaps coincidence, same thing happened to me. I was able to recover my account but the entire thing was head scratching. Granted I don't use my account but I also didn't want someone to have it and turn it into a shill for nefarious purposes.
Yes! Yes! This happened to my wife. It was exactly the same. As her tech support team, I have wasted endless hours trying to recover her account. Facebook support has never responded, and we can see the account, yet we have no way to click any of the supposed "recovery options".
This is horrendous. I'm sad to see other people live through the frustration here, yet glad we're not the only ones.
that’s actually a blessing in disguise. you have somebody else poisoning your personal information without you having to do anything. i haven’t logged into facebook (or instagram or gmail) in at least a couple years. i hope the same has happened to my accounts.
During the start of the pandemic/lockdown in the US, my 90 year old grandfather was locked out of his Facebook account. He doesn't post or add friends, literally only uses it to play slot and casino games. Turns out his password was compromised and someone had gotten in and changed the name/profile and had been spamming and scamming people on FB marketplace. He hadn't noticed because he never went onto a regular FB page, he only clicked into it from offer emails from his games.
It was tough because at the time I couldn't go to help him in person. And even when I finally could, it took months of waiting and even contacting an old college roommate at FB to help get it unlocked. It was probably 8 or 10 months later that he finally received an email and could go reset his password.
I really wish these multi-billion dollar companies would at least staff a helpdesk to field these basic issues. When these "free" services lock you out, you're basically left with yelling at what feels like a wall trying to get help.
A big factor for not doing that (besides the cost of employing a helpdesk for every language that Facebook is used in) is that the helpdesk just becomes another vector for malicious account takeover. If you put it there, you're going to have sob stories about people who made their account years ago but don't have the old password, don't have access to the email, don't remember what they posted, and yet will cry, expecting the human on the other end to give their their FB account back - and if they can do that, so can a malicious actor trying to get into random peoples' accounts to scam then on Marketplace[0] or what have you.
I understand the business factors that require initial account creation to be frictionless, and so why proof of identity must be weak, but why can't account recovery offer an option where you prove your identity indisputably?
For example, some sort of physical storefront (possibly run by an independent company), where you go and say I am so-and-so and here's my ID and please take my picture and my fingerprints so that if I'm scamming I'll be easy to catch and here's twenty bucks for your trouble.
I'd rather do that then spend weeks or months locked out, uncertain, and talking to a wall.
Privacy advocates won't be happy, but Facebook, Google, etc. don't have the same motivations as privacy advocates.
That is essentially what mobile phone carriers do, yet "customers" provide fake/stolen IDs all the time to perform sim-swap attacks and obtain financed phones they never plan to make a payment on.
Germany has a suitable system built on an NFC chip in the federal ID (Personalausweis).
When you get it (renewed), you get a transport pin, which you can use to set a regular usage pin, which you can then use to auth yourself to the NFC chip and make it provide some signed information to the remote end.
Also, they are not particularly easy to fake to a degree that passes spot checks, anyways.
Facebook does sometimes ask for a scan of government ID in the account recovery flow. Unfortunately the cost of operating the ~100,000 storefronts required to be nearby a significant fraction of its users would be absurd compared to the benefits.
That is a good argument.
But what is with not having a way to put recovery email/phone back to what it was, literally minutes after it was changed by a new login in another state.
Somewhat tangential, but I, and my elderly relatives on the other side of the country and Atlantic, would love for me to have the same level of optional supervision for their accounts that I automatically have for accounts associated with my child.
Many years ago I read a Bruce Schneier blog post that posited that most computer users would prefer to have their computers strictly managed by a benevolent agent. I’ve always agreed.
At this point, it's by design. They'll claim the opacity is needed "to prevent malicious actors from probing the system and finding the process's weaknesses", whereas my opinion is that they do this to remind people "who's in charge".
Anything outside normal behavior can trigger these automated systems. Trying to withhold important personal data will make you an unimportant user in the eyes of these hungry giants and it will trigger the lock out hell spirals sooner than later.
I use Instagram only in a separate container in Firefox. I have no phone number connected to it. I tried to manually delete my pictures the other week. Got half way through before being locked out for suspicious activity. Message said account would be deleted if I didn't give them my phone number.
So, I bought a prepaid SIM card and proceeded with SMS verification. They told me I had to wait 24 hours. After 24 hours I got a message saying I was still suspicious and had to send a picture of myself holding a sign with my username. You could mistake this process for a reddit gone wild submission.
I'm done with Insta. Went ahead and deleted my FB account too, while I could still get in.
I think the big issue is these companys simply take care of the major problems and let the edge cases slide. It is simply not cost effective for the company to have a solution for the problems of the 1 in 10000 customer.
I lost access to my Amazon account. They want bills with my phone number on them. I don't have utility bills and I don't have phone service at the moment. I am an insignificant edge case and simply not worth their time.
I spent the better part of 2019 and early 2020 recovering my dead dog's facebook account so I could get some photos off of it and close it properly. I hadn't used it in like 4-5 years, and had to re-purchase the domain name used so I could get emails from them. What a nightmare. They treated him like he was a human, and wouldn't accept a photo of the dog, his county-registered license, or anything else. After trying for over 8 months, mysteriously the account got unlocked with no explanation. #DeleteFacebook
In a long-lost age, the internet used to be for fun. In 2006 the guys in our dorm made a Facebook account for the decorative plastic pumpkin that we drank beer out of.
If the terms of service don’t allow you to create a Facebook account for a dog, is it reasonable to expect them to accommodate recovery when you do so anyway?
Well, that wasn't always the case. If they change the terms of service to disallow having a non-human account, that doesn't change the fact that it still exists. By the time I deleted my own personal facebook account, I hadn't used the dog account in years anyway. It only became an issue when the dog died. Also, I did nothing wrong to lock the account, it was their idiotic methods that caused the issue, not the fact that the account was actually for a dog.
> If the terms of service don’t allow you to create a Facebook account for a dog, is it reasonable to expect them to accommodate recovery when you do so anyway?
First, if the terms of service didn't have any exclusion against a dog then absolutely yes it's reasonable to expect them to accommodate recovery when you do so.
Second, if the terms of service explicitly state that you own anything then is it reasonable that they deny you your owership? We're talking about HUMANS here. If a business states that you are not permitted to enter their building but you do so anyway, and in doing so you lost your wallet, then is it reasonable to expect them to return it to you? Yes it absofuckinglutely is. This is no different whatsoever.
Third, terms of services are not a contract because nobody reads them. A contract specifically requires that both parties understand and comprehend the terms of the contract. Websites provide services despite the fact that 99% of people do not understand the terms presented. You're deluding yourself if you think it's reasonable to think that everyone fully understands "Facebook is not a place for pictures of my dog".
Same happened to me except I didn't send any ID or pictures or anything. I just said I guess I'm done with FB, then got an email saying my account was unlocked about 2 months later.
I don't think FB actually has a fraud system outside of "wait a long time" so its not worth it to hackers.
Realistically, we all know that when we sign up a Facebook account if we link it to an email address that is the easiest way to recover an account if the event of a forgotten password.
If you haven't logged into the account or the email address long enough that the email address domain expired. Then that's poor planning and isn't necessarily a problem with Facebook. I'd say most of my online accounts that don't have 2FA would be difficult to reset passwords for if I lost access to my email account.
If I signed up to a Facebook account and put my dogs name on it, how would Facebook ever know who human the owner is?
Yes, lots of people have at least some of their photos only stored on FB and have no backups, so FB ends up being their de facto "photo backup service".
Obviously you should routinely backup your data, yet here we are. Last year I noticed that most of the photo albums I shared on FB over the years just disappeared. They were not hidden by some app setting, nor temporarily unavailable, the data dump FB offers has no trace they even ever existed. The data was gone. I reported the issue but never got any answer. Thankfully I had the original photos on my old desktop. So when your data may randomly vanish, do backups, just my two cents.
It isn't a great backup service, but it is useful. Every day they give me a x years ago you shared - normally a picture of my kids doing something cute that I forgot about until then. Brings a big smile to my face.
You have to be careful how you use Facebook. I've gotten aggressive about blocking all from every single group and cute kitten post. Facebook is a great way to share pictures with my friends and family. For news, jokes, buying/selling, and learning about my hobbies it is useless (because the algorithm doesn't show me everything). As a rules, if it isn't something you wouldn't mark as personal information with limited distribution it shouldn't be on Facebook. (this also implies Facebook needs high security)
Recently my facebook was locked for "Suspicious activity". The only reset option was to reset by email, but I no longer had access to that email account (this is my failure, I knew I didn't, but never updated).
After a few days of trying filling out all sorts of weird forms on facebook that went most likely no where I came across an older reddit thread that says to try and go through Oculus.
Filled out a trouble ticket saying that when I tried to link my Oculus account with facebook that facebook had appeared to lock my account due to "Suspicious activity". They asked for my facebook information and for a picture of my Oculus' serial number or proof that it had been purchased and being shipped. Whoops, didn't have either. My friend on the other hand had a few and was gracious enough to send me his serial number, that did the trick.
Oculus said someone from facebook would be in contact within a week. That still hasn't happened (Been 6 weeks now). BUT, after approximately 3 days my account recovery options changed and I could choose 5 of my friends to unlock my account. Viola, I was in.
Not sure if it was spamming some of the "unused" forms or going through Oculus. But if you are desperate a friend with an Oculus might just save you.
> Social media companies, meanwhile, juggle customer service and account security as they try to make sure fraudsters don’t abuse recovery tools to wrongfully gain access. Some of this could be solved with additional security checks,
This doesn't jive well with:
> Getting in touch with a human is rare.
It needs to be easier to deal with a human.
But I understand why it's hard to get to a human. Having humans in the loop is expensive and doesn't scale when you have a user count measured in the billions.
But you know what else doesn't scale? Trying to get all of your users to understand basic account security. Not enough people are using password managers. Not enough people are using 2FA. Too many people are falling for phishing campaigns and responding to silly posts like "Your porn name is the name of your first pet and the street you grew up on" and giving away the answers to security questions.
This is why we need SelfSovereign Identity (SSI), which is really a buzzword for the concept of 'A user should own and fully control their digital identity and digital content, which requires decentralized identifiers'.
SSI is an interesting approach that has been slow to build up steam, but there are a large number of people developing it. It has some bumps and warts to work out still, but overall I think it's a workable technology, and definitely better than what we have now.
Microsoft acquired U-Prove-It way back in 2008 [1]. I wonder if there is any connection between the U-Prove-It approach and ION. The linked article is from Kim Cameron's blog, and if you are interested in identity I highly recommend following his content.
If you're designing an OAuth login system, it's important to consider what happens to your user when they are locked out by their provider and can no longer "Continue with Facebook" or "Continue with Google" to use your service.
The other day I wanted to switch Trello from "sign in with Google" to an email/password. The first step in the process was "To verify you before completing this action, please provide your Atlassian password". I don't have one, I'm signing in via Google...
My Spotify account was originally created using a Facebook link. I eventually switched over to an email/password before I deleted my Facebook account, but my Spotify account name is an annoyingly long gibberish hash value that I can't change (I assume it's something like a hashed value of my Facebook UID but I've never bothered to check).
My Spotify account created with a regular email has the weird hash username too. After updating the app its a coin flip whether or not the UUID looking string is what I see displayed. I don't understand how they can make such a large and complex service but not get user's display names correct?
Yeah, I don’t expect ordinary users to make that decision. But I have no ability to fix this stuff, so I just make decisions for myself in order to minimize unnecessary risks.
Not really. Most of these services tie back to an account (most with an actual email address).
Should a SSO provider ever stop working, you simply "reset their password". Send them a message to validate ownership of the account, then ask them to set a password OR authenticate with a different SSO provider.
----
These are the types of threats engineers _love_ wasting time analyzing.
> Most of these services tie back to an account (most with an actual email address).
Indeed, that design helps address the problem. But it also has implications for signup flow as you now need an email — which is why I'm advocating that engineers "consider" the issue.
> These are the types of threats engineers _love_ wasting time analyzing.
It’s not a nightmare it’s impossible. Source, a sobbing wife who lost 15+ years of photos. Thankfully I have most of the import ones stored elsewhere.
Apparently for her and her friends Facebook was the “safe” place to store photos.
Only 20 minutes after she got an email saying new login and it was to late. They had changed recovery info and no way to change it back.
Only thing we accomplished was disabling
the account.
Almost all of her friends have lost their accounts.
My key takeaway from the Facebook "whistle-blower" is how lax Facebook's internal security is. Many have pointed out that Frances Haugen was essentially a nobody within the organization. A mid-level employee who didn't make key decisions or have particularly privileged account-level access. She said herself that ANY employee could have copied the same documents she did.
If Facebook is that lax with their own internal documents then I have to assume that their user account security is no better than at any company I've worked for as a software developer - which is to say completely non-existent.
As far as I'm concerned, anyone who uses Facebook, Instagram, WhatsApp or any other FB-owned company is as good as making all their information, including DMs, public.
That's a really dumb takeaway. What does the openness of documents like that within the company possibly have to do with the company's security? How do you even connect those two? Your theory is that a company that chooses to be open among employees and not lock down simple research documents somehow must be bad at security?
Frances Haugen is being dubbed a "whistle-blower." The documents that she leaked have been damaging to the company. In addition to that, she said that she was expecting IT to flag her account activity and ask her what she was doing, but it never happened. So Frances herself described the access control policies as lax.
Security begins with risk assessment. You identify your assets and how they may be vulnerable. You then model your security protocols in accordance.
In my experience, this is almost never done. The typical approach to security is reactive, not proactive. And when proactive approaches are done, it is usually done with an eye towards covering the company's ass rather than giving the slightest concern to the interests of their users.
That's how I arrive at my conclusion. If Facebook takes such a lax approach to their own internal security that means they likely have a perimeter approach to security, rather than a layered one. They may try to block attacks coming from without but have little measures in place with regards to segregating, isolating and restricting once within.
All of this is speculative of course. Facebook might be the one single example of a company that actually takes some serious measures to protect their users' data while not being as concerned with their own internal data. I suppose such a unicorn is plausible. I just don't consider it very likely. I've never seen it happen once in my 25 years of industry experience.
The anecdata mentioned, that all the software companies they have worked for have poor internal security struck a chord with me even if it can be argued it's just anecdata. And if you look at facebook's checkered history of security it's not a good track record. Or how about the fact that you can still to this day post public links to private photos?
I don't have an Oculus Quest 2 but have heard good things about it. But I can't get one because my Facebook account was shut down without explanation in 2019. Despite its age (15 years) I barely used it, let alone for anything "controversial", but did regularly log into it. I repeatedly tried to verify my identity by submitting an image of my driver's license, without any response.
If a Facebook employee is reading this ... I don't want to create a fake new Facebook account (which would be against the TOS, anyway). I want my own back.
I lost my instagram account twice. No explanation. Just they were closed for 'security issues' - I sent over 10 emails with personal pictures asking FB to revert that decisions. Nothing, not even a reply.
Seriously, I am out. I didn't even bother to open a new one.
I’m out. I’m currently running facebook-delete to completely purge my account of all content. After a couple of weeks, I’ll deactivate it. After a couple more, I’m deleting it. I want nothing more to do with that company in any way.
Before someone brings up Oculus: I don’t care. It’s dead to me. Any technology that requires me to have a FB account might as well not exist in my world.
(BTW, `facebook-delete -rateLimit 40000`, ie a 40 second wait between actions, is what it finally took to run without hitting rate limits and stopping after removing a few actions. I’m leaving it running in tmux until it’s finished.)
I did the account nuke a few months ago. Felt great.
The only social media accounts I still have are twitter (locked down account, never post, use it to follow a few local businesses and local public figures), HN, and Reddit.
I'm also getting pretty close to pulling the plug on Reddit, the site feels somehow even more toxic and polarized than it did years ago. Although, that's probably also partially a function of me growing up and maturing.
Depending on what you mean by a few years ago (perhaps five?), you might just need to re-curate your subs. Communities hit big problems once they get too big that are fundamentally hard to manage. Drop your big communities and try to find the replacement that's much smaller
I use to be really active on Twitter but now keep it around mainly to shame bad customer service. I definitely wouldn’t follow me anymore.
I’m really torn on Reddit. It still has lots of good communities, but it’s so easy to pop over to something mean-spirited to get a little “I’m a superior person!” endorphin rush. I don’t need that in my life.
I still have and enjoy a Mastodon account. It feels like Twitter, but more chaotic in a good way, and with people being on the whole much nicer to each other.
I've been wanting to delete Facebook for years but my partner convinced me to keep it - but now I haven't even logged in in a year and nobody noticed, so I feel like I can get away with it now!
Reddit and Twitter I already nuked last year. Trying to think of other things I can go and delete now, as it's quite cathartic.
IMO, the increased toxicity of Reddit is due to user base growth. Much worse content used to be openly allowable on Reddit, but the users who posted that stuff were more content to stay in their hate holes and leave the rest of the site alone.
Unfortunately, even the small subs that are just as good as the Reddit of old still have a time bomb of when the subscriber base grows to the point that the mods can’t stop the user base from spamming irrelevant IRL political discussion in the comments.
The last published DPC audit found that it does [1]. There's really no reason to subject themselves to huge fines and lie about it when an insignificant fraction of facebook users delete anything.
anecdotally from a few folks I know who work there it does get completely deleted after a month or two I believe. Like you said between GDPR, the FTC settlement and just general bad press they actually take deleting data pretty seriously
I am skeptical. The reason is because I worked for a bank that had a policy of deleting data after 7+ years. The thing is, a number of database tables were just simply removed from the index but still existed and if you knew the name of the table you could continue accessing them. Likewise, all the tape backups continued to exist, they weren't shredded and this was proven when someone in IT somewhere screwed up and restored my team's network drive with an image from 10+ years ago. It was interesting poking around to see what files were on it from before anyone on the current team was a member, but that shouldn't have happened. So, if a multi-national bank was acting this way, why would FB be any different? They are so large now, fines are just background noise and they have to be caught to be fined.
Not that I know of, although CCPA may have something to say about that. However, I think of it like symbolically crushing a final pack of cigarettes. It's a turning point. Even if FB retains my old data, it's almost certain that I can't personally restore it. If I ever get tempted to go back, that takes away a lot of the motivation: why would I start over today with a blank Facebook account?
Is there any other benefit in having account deleted vs just an inactive account(default case for the majority)? They don't stop tracking you based on whether you are logged in or not.
I would imagine if enough people made that choice it would eventually come up in a shareholder meeting as it would affect their active number of users. I'm not sure how they report this if you just don't use your account for a long period of time.
I wish I took the scorched-earth approach to deleting my FB account as well as trusting GDPR.
But there's still whatsapp and that now plugs into FB, and there's no longer an evolution to SMS and MMS, a way to message purely by having a phone number, no matter what account you have.
You can't opt out of this except by going totally off the grid.
I had a very recent experience like this where my father was locked out of his account suddenly across all devices. Me living over 4 hours away makes it difficult to try and understand what has been happening and coach him through it.
After some discussion he told me that he did receive an email from Facebook saying that his password had changed, but the email didn't have a link to say "this wasn't me" to allow him to revert it.
I would then go through Facebook's account recovery processes on his behalf and it wouldn't recognise any of his email accounts as having been linked to that account. Despite it clearly being the email address associated, which lead me to think that someone had changed his primary email address on the account, something that again he didn't receive an email about, if this was the case.
I have tried almost all avenues, using his mobile number as an identifier, using his email addresses. It then says if these methods don't work, try finding the account using their name, so I found his account using his name and it simply keeps asking for his password with no other recovery options.
I am honestly shocked that I can get into the account. It's almost like Facebook has disassociated his account with any of his normal identifiers like mobile number and email address. Leaving us with no way of being able to recovery the account without someone at FB verifying his identify and flicking a switch on their end.
Of course; we own have experienced this already! Some of my friends create new accounts - I have friends with 5+ profiles! And this is very convenient for Facebook as they report "new" signups! Unfortunately, it makes their content less valuable. For example, tagged photos, comments, etc. is now spanned thru more than one profile. I've been restricted multiple times and their pages to dispute give me a generic error every time I try - this is on purpose, too.
I ended up in the fun position of not being able to get into my Facebook account, and the only recovery options were 'text a number you haven't used in years, or ask this random selection of people you no longer have contact with to confirm you are you'.
It turned out logging into Spotify some how re-enabled my access - my only guess is because I had a Spotify account before they were under the Zuck umbrella it somehow grandfathered me in
I'm thinking there must be a physical open door somewhere in Eastern or Southern Europe, which malicious individuals can just walk in and vandalize accounts. It's happening too often with too much ease and adversaries don't look or sound geniuses like Feynman brought up wrong.
The really creepy thing for me is that I've never had a facebook account, but I do have a very early gmail address.
I started getting emails asking me why I hadn't been logging into facebook lately. I ignored them the way one ignores any such spam. Then over the years they got more specific. I got one of those do you know so-and-so emails for a person I'd only ever spent a single evening with. That creeped me out to the point that I password reset the account for my email that I never created and deleted it. Does that make me a hacker?
The major reason, I have an account isnt so that someone could impersonate me there, they could support the impersonator. And leave me hanging, if things turn out bad.
Then, despite my email account not being compromised, such that the person COULD NOT have gotten that code, facebook let them in anyway, let them change my backup phone number and email accounts, take off my phone number and email accounts, change my password, and fully take over my account.
What the hell was the point of that "code" if facebook let them in anyway? As the account no longer has my email address or phone associated with it, I can't recover it through those channels. I got the the point where you can send in a selfie with your ID, sent that, and got an email (with zero "case ID" or communication channel) that said verification normally takes 2 days. It's been over two MONTHS. So I guess there's nothing I can do?