Getting hacked

My father-in-law, M, had his Facebook account hacked recently. I don't know how it happened. My guess is that he reused a password that was leaked in a data breach, somewhere. Anyway the account was taken over by someone in Nigeria and promptly started spamming Bitcoin coaching services.

The posts were surprisingly sophisticated. One included a faked screenshot of the lock screen of his phone, with a bunch of notifications indicating that vast sums of sterling had been deposited into his Barclays account. M doesn't have a Barclays account, but his Facebook friends don't know that. As far as his friends know, he's just purchased a brand-new Audi with the earnings from trading Bitcoin under the tutelage of an Instagram account with an AI-generated avatar.

Getting the account back was surprisingly convoluted, and at no point involved another human from the support team at Facebook, with whom there appears to be basically zero recourse. The email address, phone number, and password on the account had all been changed, but Facebook allowed me to log in with a previous email+password combination and removed the attacker's email+password from the account. This is a great feature, but it doesn't prevent the attacker from using it the exact same way to take control back. The key to holding on to the account after a email+password reset was to quickly enable two-factor authentication. After that, I signed out all other locations and removed the various connected devices—mostly out-of-date iPhones located in Nigeria and Singapore—and accounts (his Instagram account, alas, remains hacked).

We got a bunch of failed login notifications shortly thereafter, presumably as the attacker tried to get the account back—but no new successful logins. It's been a few days now and he remains in control of his Facebook account. This feels like a rare success.