Wendy Spinner joined Facebook in 2009 to stay in touch with family, friends and co-workers.
She got that. But she also got an invasion of privacy that she calls a nightmare.
In January, Spinner’s Facebook contacts said they received messages from someone who was impersonating Spinner.
The person asked them to send money, she said.
Spinner said she knew she had been hacked.
“I reported the impersonation and hacking of my account to the Facebook Help Centre, ” Spinner said. “Facebook instructed me to change my password and email address which are connected to my Facebook account.”
But two minutes after she made those changes, the hacker somehow gained access, changing her password and email address to their own.
This happened again and again and went on for weeks, Spinner said. Despite multiple efforts to get help from Facebook, the social media giant didn’t intervene, she said.
Then the hacker got into her Instagram account — Instagram is owned by Facebook — changing the account name and switching her profile photo.
In the weeks that followed, Spinner said she received multiple security alerts from Facebook saying someone was trying to change the information for the account, but efforts to get help went unanswered.
She asked her cell phone carrier for help. They suggested she delete her Facebook and Instagram apps, then reinstall them and create new accounts. She did it, this time using two-factor authentication on the accounts. More on that in a moment.
“I thought this nightmare was over, ” she said.
Then Spinner said she received a threat.
On March 20 at 3am, the hacker texted her, saying they had had her phone number.
The hacker demanded US$300 (RM1234). Otherwise, her private photos would be posted online. These were not Facebook photos, though, but ones she exchanged over WhatsApp, which is also owned by Facebook. She refused to pay.
By morning, many of her friends also received demands for money, the hacker holding the photos hostage.
Spinner said she again reached out to Facebook. No answers.
At the end of March, she wrote an email to Facebook head Mark Zuckerberg. There was no response.
“I never in a million years would have thought that someone would hack my Facebook account to this level, of making me feel scared and not being able to sleep or be at peace because these individuals were relentless and focused on shredding my sense of security and making me feel helpless,” she said.
She filed complaints with Newark police, the Federal Trade Commission and the FBI’s Internet Crime Complaint Centre (IC3).
Spinner said she doesn’t know if it’s linked to the social media hack, but on April 6 she learned someone had filed for unemployment benefits in her name. She’s not unemployed.
Frustrated, she contacted Bamboozled so she could help to warn others.
After reviewing screen shots of the hacking, we reached out to Facebook for comment. It didn’t respond.
So we enlisted Mitch Feather, a cybersecurity expert with Creative Associates in Madison, to review what happened to Spinner.
He said it’s impossible to know how Spinner’s accounts were compromised without a full cyber-forensic investigation.
In the case where the passwords were stolen over and over again, it’s possible the hacker used a keylogger, which is software that copies all of your keystrokes, records that information and sends it on to the hacker.
These can be installed if you click on a malicious link or if you open an infected email attachment, Feather said.
Then there are rootkits.
“They burrow very deep into your computing device’s architecture and, being in that area, have very powerful, frequently invisible, control over the device,” he said, noting they can be hard to detect and remove.
So how can you protect yourself?
Start with two-factor authentication.
Feather said two-factor authentication is pretty straightforward. In most cases, you log in with your user name and password, and then you receive a one-time code that could come by text or an email.
“Do these really help secure the account? It is better than no two-factor authentication,” he said.
You should also never use web browser features that store your usernames, passwords, credit card numbers and other private information, Feather said.
“If your computer, smartphone or tablet is compromised, all the bad actor has to do is go into your browser to retrieve all of that valuable information, ” he said.
Also consider using browsing protection applications, he said. These will warn you when you’re heading to a potentially risky web page.
But even if you take all these steps, you’re not going to be completely safe, Feather said.
“Somewhere else out there in the world is your information – in a company’s network or cloud, or in the case of social media, in friends’ computing devices,” he said. “Those are targets also.”
Feather recommends you stop and think before you open an attachment or click on a link.
“Ultimately, you as the end-user, represent not only the single greatest risk to yourself but also the single most powerful tool to protect your computer, smartphone, tablet and yourself,” he said.
Spinner’s account is now secure, but she’s still uncomfortable with what happened.
“I learned a valuable lesson that certain corporations do not care about the average citizen, ” she said, calling her private information precious.
She said she wants others not to feel paralysed if this ever happens to them. Instead, she says you should be proactive.
“You must notify Facebook, police in your town, the Federal Trade Commission and the FBI,” Spinner said.
“You cannot let (hackers) believe that they are invincible or untouchable. This was a long, hard journey. You must stay strong and fight back. Pray to God to give you the ability to fight.” – NJAdvanceMedia/TNS