Hot potatoes: Meta staff and contractors have had access to an internal system for recovering user accounts for a while now. The deployment of this tool has grown exponentially over the past few years, which has given more users permissions. Now, the company appears to be cracking down on access. One of the reasons could be misuse within Facebook customer service.
The Wall Street Journal reports that anonymous sources claim Mita has Fired Or discipline more than two dozen employees and contractors for improper takeover of user accounts over the past year. In some cases, hackers have bribed people with access to the account.
When most people think of account hijacking, they likely imagine hackers using tactics like phishing, malware, and social engineering. However, another method involves bribing employees or contractors to hijack target accounts.
Some incidents involved employees or contractors, including security guards, helping friends or family members restore their Facebook or Instagram accounts after Meta’s customer service proved unhelpful. Furthermore, some individuals retained direct or indirect access to internal Meta tools after leaving the company, which they used to access user accounts.
In one example, a security contractor launched by Meta in 2021 allegedly helped others hack Instagram accounts after he left the company. The former contractor claims to have only helped about 20 friends and family members regain access to their locked profiles. Meta banned him from Facebook and Instagram and charged him with violating the federal Computer Fraud and Abuse Act.
Brokers also took money from customers to help hijack or recover accounts using connections to employees, which is against Meta’s terms of service. The Orange County model paid the moderator $7,000 to recover her Instagram account and its 650,000 followers.
At the heart of the problem is a profiling tool called Online Operations (ironically, it’s shortened to Oops). Oops is meant to be an account recovery mechanism of last resort and is not intended for Facebook and Instagram accounts. Meta Oops is only intended to be used to assist public figures, celebrities, business associates, or friends and family of employees.
Employees submit a report by entering an email address associated with the reset account, then selecting the respective account holder. The system then passes the request on to the Meta support team, which deals with it on a case by case basis.
Oops usage has swelled as Meta’s workforce has grown. Between 2017 and 2020, the number of Oops tasks doubled, from 22,000 to 50,270. The meta seems to oscillate on the situation if the sources are correct.