Part One:
It all happened at the worst possible time, my wife and my newborn baby girl returned from the hospital about a week ago and we went to visit her parents in South Czechia for the weekend. It was a pretty intense week already with all that stuff around the newborn and I was glad we would get some help.
On that early February Sunday afternoon, I just briefly checked my iPhone notifications between learning parenting on the fly. I’ve noticed that there was some Facebook friend request and when I opened the Facebook app, some strange guy was requesting to become my friend. I’ve declined. I did get back to my girls and didn’t pay more attention to that. It wasn’t the first time that I’ve had some weird friend request anyway.
Later on, that day at around 10 pm when I was cleaning baby bottles and, I’ve checked the Facebook app again. A Message that I was temporarily restricted from tagging was the first thing that popped at me. All I could do was to appeal which I did immediately and in the message, I wrote that I’m not sure why I’m restricted in the first place.
Then I have noticed some new emails that arrived and I knew it is not good. The first email that arrived on my personal iCloud email that I had set as a recovery email on Facebook for the past few years stated that someone is trying to reset my password.
Someone is trying to reset my password. F#*k.
Another email said that password was successfully reset and showing some activity log with IP from Manchester UK on a Windows PC.
I’ve opened a Facebook app that was already logged off at that time and went on to reset my password. I used to have several options on how to reset my password on Facebook but now there was only one and it was to send a link to the email address alanisko@alanisko.net.
Now, the story is
I used to own the domain alanisko.net a long time ago for a few years before I’ve switched to the current one alanisko.co.uk.
As it turned out I also used an email address alanisko@alanisko.net back then and probably I have used that email to register for a Facebook account back in June 2004. Yes, 17 years ago.
Obviously, I had changed my email address few times during those years and I’ve always updated my Facebook recovery options with my current email and the current phone number. Probably for a nostalgic reason or I just forgot to remove alanisko@alanisko.net and I left it there among the other more recent recovery options. It was stupid, I know now.
Unfortunately, as of now, all my more recent recovery options were gone and the only way how to recover my Facebook account was to send a recovery email to the email address that I don’t have access to anymore.
My second option if I couldn’t access recovery email was to create a new Facebook account... no support chat or email, just a simple message that we are sorry.. after 17 years feeding that network with content.
So that is it… thAt is the end.
As I couldn’t recover access to my account, I’ve started to think about why and why on earth would someone hack my personal Facebook account. It didn’t make sense at first. Why all my other recovery options were deleted and only one was the one I couldn’t access anymore.
Why
I didn’t think that my Facebook personal account is something that someone would be interested to hack with my around 800+ friends.
Then I thought that someone maybe was trying to get through Facebook to my Instagram account that may be a better deal with currently 72k followers. So I went to the Instagram app and changed my password there just in case. I’ve already had two-factor authentication turned on on Instagram.
Then I’ve gone back to the Facebook app and tried to block my account and I hoped that I managed to do it and neither I nor the attacker would have access anymore. I have been also using Login with FB on many web pages and services, probably hundreds of them since Facebook introduced that feature and that make me worried a lot too. Attackers could try to access other things too.
How
When I started to think about how they did it, I knew already that someone had changed my password and removed all my recovery emails except the one I had no access to anymore. I was sure that I have not clicked on any links or suspicious messages etc. 100% It was really strange that the attackers have not removed my alanisko.net recovery email as they usually do in cases like this and replace it with some fake one.
So I went to Whois.com to check if and when the alanisko.net domain was registered and I knew I was on the good track when I saw that it was purchased that day through godaddy.com. It was a direct attack on me for sure. I was godaddy’s customer and still use their services for some of my domains these days. I went on their support chat and tried to explain what has happened. The support lady was nice and seems to understand that it certainly was a hack however she told me I need to send an email to a certain email address and they will get back to me with 72 hours. I didn’t have many options so I have had emailed the whole story to that email provided.
That was it, I knew it was a targeted attack on me but I could not do anything about it.
Well, there was the last option, I have a good friend Craig from Dublin that is actually working for Facebook. So I’ve sent him a message on Instagram where I described all story again and facts that I knew with the cry for help and went to sleep.
On Monday afternoon I got a message in my inbox from Craig that he will try to submit an internal ticket and we will see.
A few hours later he messaged me back asking for a virgin email never used on Facebook and I’ve received a link with a password reset on it.
Hurray, I’m saved.
I went through the recovery process where you have to check and confirm details like last posts, posted pictures, last added friends etc.
It was all mine as I had really blocked the account that evening so the attacker couldn’t post anything except the two weirdos in my friend list that I’ve never added. I’ve removed them and reported the names to Craig. I believe Facebook then deleted those accounts.
I couldn’t thank Craig enough, I’ve asked him what he thinks about that hack and he mentioned that they do deal with a lot of hacked accounts recently big or smaller too. When I asked how one can protect, he has mentioned the Two-Factor Authentication, but not the SMS one. That can be easily hacked when the attacker just clones the SIM card with your number, so much better is to use an authenticator app that generates a unique string of numbers every few seconds.
So, that was it, I was back and had my account under control again. Well, at least I thought that.
Lessons learned so far.
Never register to any new emerging app or service with your email that is attached to a custom domain that you may not use for a really long time and had all access to.
Two-factor authentication is a must-have, using the Authenticator app, not SMS codes.
Privacy is a big issue. We all have been tracked all of the time. I downloaded an app called Jumbo on another good friend recommendation as the iOS 14.5 with its privacy controls was still months away. Jumbo also does work as the authenticator.
I knew that there are trackers in apps, and I do use a lot of apps. But I was still surprised with the number of trackers that Jumbo found and stopped.
Part Two:
Two weeks later, accidentally again on Sunday, I woke up slightly after 8:30 and as soon as I’ve reached my phone, I knew something is wrong.
There were several notifications from my bank app notifying me about outgoing payments from my bank account.
Shit, that is not good.
It was eight payments, each for 50USD and some of them were declined but some went through approval, so I’ve immediately opened the bank app to investigate.
Unfortunately, it was true, there were a few payments that went through. Those payments were marked as PayPal authorised payments for Facebook advertising. I’ve called the bank immediately and blocked the card that was associated with my PayPal account and ordered and replacement. Kudos to my bank and Apple for being able to use my new card immediately through Apple Pay before the physical card has arrived.
I never use my real bank card for paying online and always do use a virtual one or PayPal. PayPal is also the only form of payment set in my Facebook account that I used to pay for advertising on Instagram and Facebook. PayPal processed those transactions as they were looking like legit payments for advertising like many times before.
It was certainly strange as the last time I’ve run a Facebook advertising and pay for it was last summer.
I’ve checked the Facebook Ads app where you can manage your advertising and there was still running advertising for some Vietnamese page that I have nothing to do with and paid for using my ad account.
That advertising was targeted to women aged 22-50 years old from Vietnam and the Czech Republic with a budget of 1000 US Dollars. And boy that ad was running really well and people were clicking on it a lot. You can check the stats below.
So I knew that Facebook haven’t restored all access and these guys were somehow still hooked up to my ad account. I took few screenshots and wrote a message to Craig once again. He then created an internal ticket and It took this time a few days and I got the advertising account full access and my money back.
It is crazy to think what would happen if I wouldn’t know Craig and let say had used a credit card for advertising on Facebook directly. I would not only lose the account completely with no option for recovery and also a thousand bucks on top of that. I can’t thank you enough mate.
I’ve had asked a Vietnamese guy at the local grocery shop to translate what is the advertising about and he said it was for girls clothes for sale.
I may be paranoid and it was just an accident and some hacker got lucky, more I think that it wasn’t just a pure accident. I was travelling around Vietnam less than two years ago for a few weeks. We started from HoChiMinh northwards to and back. I bought a local SIM card on arrival and mostly used that to connect however there were times when we connected to a hotel WiFi or in AirBnB or train. I had also used apps like swarm and Foursquare to check in to places and leave tips for other travellers. So I had created a pretty damn good digital trace of my around Vietnam. To me, all point to that someone saw my digital trace, tried and got lucky through my old domain.
I’m not gonna judge you if you still using a piece of paper with handwritten passwords, just be aware that there are people out there. You might think that you not gonna be the next target and you are safe and why on earth would someone hack you. Well, it’s all about the money… and there is always someone who does have the time and skills needed but no money and others side with money and fake feeling of safety.
I’m now using Two Factor authentication for all social media and other services with Authenticator apps.
For that purpose, I do use Jumbo that I’ve mentioned earlier and also Google and Microsoft Authenticator apps.
Mainly I have removed all of my Login with Facebook-related pages and it was hundreds of them, then changed all that still matters to me to log in with Apple.
I’m not using my main credit card for PayPal and using a virtual card instead that I can top up with the amount necessary just for a particular payment.
It’s a crazy world we live in and it is better to be protected than sorry. All of this made me think again about the content I share online and where.