Banned.

I was banned permanently, without recourse, because of a security flaw in Facebook’s 2FA system. This is my story.

3/10/23 Update: At some point, I’ve been un-banned from WhatsApp! No idea when or how, I just opened WhatsApp today to show somebody the error message, and voila, it said my account was enabled and had me answer a few questions (phone number, email, etc type stuff), and now it works. This is a huge help.

1/29/23 Update: Some new developments for the good, and some for the very very bad are posted at the bottom.

In November of 2022, I was banned permanently from all Meta products – Facebook, Messenger, Instagram, and WhatsApp most importantly. Not only were my personal accounts banned, but my business Facebook page is now orphaned with no admin, and my business Instagram was deleted. Meta has given me no way to resolve the issue and if you are reading this I remain banned. Here’s how it happened.

November 8th, 2022 was a normal Tuesday. I went to work, I posted a photo on my business Instagram for work we were doing, and I chatted with a dozen people on Messenger. In particular, I was chatting with my ex and my son about his upcoming trip to visit me for Thanksgiving. I had booked him a flight and I sent them the details of the flight to add to their calendar. I had dinner with my family at home, watched some TV, and went to bed around 11pm.

The next morning I woke up to a text message from my ex. “Hey, what happened to your Facebook?”. Uh, nothing, I thought. I went to the Facebook app on my phone and couldn’t log in. How strange. I then went to my email, and saw this:

Recovery Code Request

At 1:10am Facebook sent out this notification email with an account recovery code. I, obviously since I was sleeping, didn’t initiate this. I then noticed another two emails:

Login Alert
Action required

At 3:22am somebody accessed my Facebook account, and at 3:25am I was sent an email that my account had been disabled. Of particular note here I had 2 Factor Authentication turned on and set to use the Google Authenticator app, not SMS nor email, yet Facebook somehow allowed somebody in without the 2FA being done. The most likely scenario is that my email password was compromised and there’s a backdoor to disable 2FA after doing a password reset request which is a huge security flaw that shouldn’t exist. There should be no situation where, even with access to my email, Facebook should have allowed a login to bypass the authenticator app.

As I’ve been accused of being a victim of phishing, please do note the order of operations here – I had 1st tried to use the app and was locked out and only then went to my email. I had received all 3 emails before interacting with any of them. I was called names for not noticing that the domain is “facebookmail.com” rather than facebook.com, however, facebook’s own help articles clarify that this is a valid domain.

Original page here:
https://www.facebook.com/help/1634546593478660/?helpref=uf_share

Obviously, I hit the “disagree with decision” button there. I was brought to a page that asked me to confirm my identity by uploading a photo of my driver’s license which I did immediately, and received the following:

7:50am Reviewing Information

Facebook sent an automated reply that they would review the situation and get back to me. A few hours later I received this:

Ya Boned Mate

That’s it, done, finito, gone. I searched high and wide for further contact methods. For a way to talk to a human. There is none. At all. I eventually was able to find a page in their help that allowed me to submit a dispute, however, after filling out the form and clicking submit I saw this:

They fired everybody

To make matters worse I soon realized that not only had my personal Instagram been simply deleted (not disabled), but also my business Instagram account is gone. GONE. Similarly, there is no contact mechanism for Instagram. That’s it, gone. My business relies heavily on promotion from Instagram, as does most of my industry. The account had been active since 2014 with hundreds of photos and videos showcasing projects we were involved in. GONE.

As for my business Facebook page, it still exists. However, I was the only admin. There are two other people who have permissions to post, but nobody can add new users, and neither of those people are in a position to post to the page for me so the place is now a ghost town. At least it still exists I guess. If you learn one lesson from this as a business owner it should be to have a backup admin – a friend or colleague you can trust, a parent, a child, SOMEBODY who can have full admin control to be able to add and remove users.

But what about WhatsApp? Oh yeah, that too. More than a month after this fiasco I was using WhatsApp to talk to overseas business contacts and in the middle of a conversation it logged me out. Upon attempting to log in I see this:

WhatsApp too.

So there it is, a complete trifecta of business resources destroyed. Messenger chat history is gone, friends and contacts that I don’t even have phone numbers for are gone, and don’t even have a way to know that I’m alive until I hopefully run into them at work functions this year.

What’s next? Well, you’d think I could just use a different email and create a new identity on Facebook and simply start over. Nope. I tried, and I shared zero contact information with my prior account, but after 4 days that account was banned for being a duplicate account to my other banned account. That’s it. In the eyes of Meta I don’t exist any longer. The thousands of dollars I paid for adverts for my business don’t matter, and they don’t want more of them. There’s simply no recourse here unless this story finds its way to somebody who chooses to take action.

I’m not the only one, either. It appears that a rash of this occurred in the months before and since. I’ve found other blogs about it, and I’ve mentioned it to friends who have told me “oh yeah, the same thing happened to x person I know”. Maybe, just maybe, somebody at Meta will see this and these people can be helped.

1/29/23 Updates: Someone at Meta reached out to me on Reddit, but I didn’t trust they were who they said so he followed up on LinkedIn and appears to be who he says he is. He’s not in a position himself to take any direct action, but he has forwarded some info on to “the right team” and who knows, maybe something will come of it.

In other news, I’ve discovered a new level of this hell. Because I used Facebook as a login service for my account with the DMV I am now unable to pay my vehicle taxes nor renew my registration/tags online. Obviously, I can do this in person, but who wants to GO to the DMV? Not I, that’s for sure.

Can’t login
Can’t reset password

Please share your experience in the comments! Any useful links, other stories, and relevant posts will get added to the link below.

Others:

https://www.nj.com/news/2022/09/womans-facebook-was-hacked-and-disabled-her-instagram-too-why-is-meta-doing-to-fix-it.html

https://perfectionhangover.com/facebook-disabled-deactivated-my-account/ – Check out the comments on this one with many many people having this happen!

https://emilycordes.com/facebook/ – This one actually got fixed after gaining enough traction to reach somebody at Facebook who could fix the issue!

This Reddit post says they were able to fix it! Maybe there’s hope? https://www.reddit.com/r/facebook/comments/10hjdt2/i_got_my_facebook_back_after_being_suspended_for/

Dozens upon dozens of people have taken to Google Maps reviews to try to tell similar storries:
https://g.co/kgs/1XqZeA

Comments

25 responses to “Banned.”

  1. Alex Avatar
    Alex

    Happened to me not that long ago now, similar emails and circumstances, so called reviewed but I got an immediate response back saying they upheld their original decision! I have memories from since Facebook started, so well over 15 years of my kids, my father, who is now deceased, groups I belonged to, friends from school, crafting friends, etc etc

    I am beyond gutted that an organisation can let this happen and have these so called protections in place, – well they don’t and allowed someone to hack me through my small business page from a phone I dont own in Newcastle, UK, where I don’t live!

    I set up a new account, over a few weeks ago, and this got suspended today, and I have appealed this one expecting the same, but this time I got asked to do a video, to prove I wasnt a bot, and it consisted of me moving my head from left to right!!! So we will see

    But I have messages on messenger from family/friends re my upcoming wedding next year etc and these are all gone!! Angry doesnt even come close to what Facebook have been allowed to do!!!

  2. Jess Avatar
    Jess

    Was anyone ever able to recover their accounts? Should I give up trying to recover it?

    1. jcforbes Avatar

      I still haven’t gotten anywhere.

  3. M Avatar
    M

    The first emails you received were from “facebookmail.com” NOT facebook.com. They were phishing emails and when you clicked on the “disagree with decision link, that allowed them backdoor access to hack your account. At that point whoever hacked in your your account banned somehow.

    1. jcforbes Avatar

      Thats incorrect. The first thing I did was go to the facebook app and could not log in; the account was already banned. I only read the emails after I had already been to the app and to the website. I literally hadn’t even opened my mail app.

  4. Scott Avatar
    Scott

    Almost exactly the same thing happened to me on 2/9/2023. It’s the same pattern I’ve seen all over – the account (despite a strong password) was hacked for a few minutes and someone changed the profile pic to an ISIS flag.

    Hang out in LinkedIn comment threads on Meta posts and you’ll see this is actively happening to many business owners. They do absolutely nothing to address it.

    I did manage to recover my last ad purchase. I’d paid through PayPal and I opened a dispute there. Because Meta didn’t respond at all, I won the dispute by default.

    I’d suggest clawing back all you can. They’re doing this because it’s cheaper than fixing the problem. Let’s change the economics. Contact your local news, see if they’ll run a story. Complain to the attorney general. If you’re a California resident, try to get a privacy report under the CCPA and when they ignore you (as they will) report them to the state.

    I’m going to try sending DMCA takedown notices for my product photos that they’re still hosing without me. I don’t think it’ll work but it’ll at least force someone to open the mail and read the request.

    If they won’t give 5 minutes of basic customer service, make them spend 2 hours on lawyers and regulatory compliance.

  5. Joanna Leader Avatar

    Same thing for me in UK – My Facebook hacked, password, email, phone number all changed – I recovered it with my drivers licence ID only to find out I’d been banned for “sexual content or nudity”? I appealed of course and explained that ‘they informed me’ that someone may have accessed my account – it took over a month to review – and they banned me forever!
    All those years of memories gone – access to my son’s memorial page gone… its outrageous that they cant treat people like that.

  6. Pam Avatar
    Pam

    happened to me on March 1st, prob the same guy from the same place in Vietnam. I’m in Canada. I lost all the significant interactions with far away relatives that I wanted to show my kids one day.

    The same guy also tried to hack my amazon and buy a 1k gift card, but that was blocked by Amazon. My account was temporarily suspended and got it back a few hours later. At least I see now between Mark and Jeff which one gives more f about me.

  7. some-not-so-smart-cookie Avatar
    some-not-so-smart-cookie

    hmm it somehow seems that being completely dependent on one single corporation and their arbitrary policies might not be the smartest idea on the planet. Who would have thought? I think I’m on to sth …

    (Coming from someone who doesn’t use a single Meta service and somehow still survives. I know, shocking.)

    1. jcforbes Avatar

      Well smart guy, please do tell me how to connect with clients who use Instagram when you dont have Instagram? Should I be mailing them photos of cool cars?

      When someone at Porsche in Stuttgart gives you their number on Whatsapp do you contact Porsche corporate and request that they switch to Zoom?

  8. Helena Avatar
    Helena

    Yup, same here. Banned/compromised account. Started as well in November 2022. All of a sudden I wasn’t allowed to log in to FB desktop, but was still able to access FB app on my phone. I had set up 2fa with codes on SMS, but I never received any text. Tried to change password, no problem receiving reset code on sms for pw change. I was not able to access the 2fa settings in FB app, as I was told I needed to access that page on desktop (and I wasn’t able to log in to FB on desktop), so no access to turn 2fa off, even if I had access to FB app. I did everything on every help desk site, googled everything and nothing. “Luckily” I figured out one day I’ll be logged out of the app, so I could take screenshots of my friends list and other important stuff. And yes, I also tried changing out my phone number, but still nothing. And then, now I January – I tried again to do everything written in the help desk pages, and it happened, I got logged out of the FB app on my phone – so no way to get back into my account. Then it got compromised, and I have no way to log in again. Still waiting and hoping for a effing miracle to happen, whenever I try to log in again and hopefully one fine day, I’ll receive that effing SMS. If ever setting up 2fa – please print those printable codes, or set up Google Authenticator, never ever ever SMS! I guess Mark hates me. Still have access to my IG and What’s App tho, so guess I’m lucky! xoxo from Norway

  9. M Noivad Avatar
    M Noivad

    If an email comes from an unknown source, don’t open it. Even if you know the person, they might have been hacked, and sending a trap file.

    I was thinking you should have had a backup of all your online data, but you figured that out after the fact. Make sure 1 backup is offline somewhere safe. Turn 2FA on wherever you can, and change all your passwords. I would recommend Authy for this.

    Don’t use facebook or gmail for important business: instead use a lower profile service—if you have an ISP, they come with email in most cases. Do not click on links sent to you to anyplace you have to login: it’s a known flaw in the system, and thousands of users are tricked daily by sneakily copy-cat sites with convincing login pages. Instead use a password manager that knows when you are visiting the actual site, and it won’t be fooled by deceptive sites.

    Lastly, avoid questionable sites like torrent sites and porn sites you’ve never heard of. They can do drive by hacking if there’s any security holes in your browser.

    I’ve been using computers since the 70s, and the Internet since around 1992–1994(ish). And if you take these precautions, you are a lot less likely to be hacked.

    1. jcforbes Avatar

      I never opened any unknown email, not sure where you got the idea that I did. Also definitely stated multiple times that I was using 2FA for Facebook. I’ve worked as a software engineer and as a network admin; I know my way around and the security flaw was on Facebook’s end, not mine.

      I also could not care less about the data. Theres nothing there that I could conceivably have backed up that I will miss. I have the photos etc, what I don’t have is a way for potential clients to view them while scrolling their feed.

  10. rograndom Avatar
    rograndom

    Contact your Attorney General. I went through the same thing (https://news.ycombinator.com/item?id=34031217) and they are VERY interested in these cases.

  11. Gracie Terzian Avatar

    The same thing happened to me. It is devastating. The worst is the Facebook login required for other websites. I actually wish the government would get involved in this and demand Facebook have some kind of human based review system in place (even if it’s slow and takes 6 months to get spoken to). The only reason why my Facebook was eventually fixed after about a year is because I have 2 friends who works at Meta who kept submitting requests on my behalf.

  12. Emile Avatar
    Emile

    If this goes nowhere, maybe this blogpost could be of use to you.
    https://jessesingal.substack.com/p/i-fought-the-paypal-and-i-won
    He sent a Notice of Dispute first and then demanded arbitration. Give it a read, he got in touch with the right people pretty fast haha

    In Facebook’s commercial terms, since you advertised, it reads like the same procedure.
    https://www.facebook.com/legal/commercial_terms

    1. Emile Avatar
      Emile

      The snippits of use in their terms:

      “If any party intends to seek arbitration of a dispute, that party must provide the other party with notice in writing. —->This notice of disputeexceptdoes not exceed $75,000<——— and is non-frivolous (as measured by the standards set forth in Federal Rule of Civil Procedure 11(b))."

  13. Louis Avatar
    Louis

    Similar thing happened and this security flaw persists. They refuse to do anything about it. The business accounts and the amount of content tied to them become totally irrecoverable. Awful situation.

  14. Dakić Danilo Avatar
    Dakić Danilo

    Same thing, 10. February 2023 facebook, instagram, all gone.

    They let me download copy of my activity for the moment and from that file I learn that hacker was from Vietnam, because he changed my phone number to Vietnamese number. When i saw that number, I’ve tried to find that number on WhatsApp and I found the person. Asked him what’s going on and he sand me the middle finger picture.

    I even found that specific cookie was used for logging and changing my information, after I was blocked. So will see what is going to happen.

    Danilo from Serbia, Europe

  15. Lesley Avatar
    Lesley

    Same for me, I’ve been disabled since 4th October 22. Have a business page in limbo as well- been down all the Reddit rabbit holes – no success yet- such bullshit! Is there any way to make a new fb so I can stay up to date with events?

    1. jcforbes Avatar

      I tried creating a new account and it was banned within a day or two. I used a new phone number, different email, my middle name, etc and to separate it and it didn’t work.

  16. Amanda Avatar
    Amanda

    Just happened to me too on Feb 7th. Locked out of Facebook, Messaged, and Instagram. Facebook had no customer service so of course we’re all screwed.

  17. Jill Avatar
    Jill

    I was hacked on 12/10/22. It was weird never heard of anyone being hacked this way. I got a FB notification soeone is trying to signin on an A50 phone (which happens to be a phone i had 6 months prior) from Pasedena, CA. I’m in Oregon and have not returned to CA in over 11 yrs. I clicked not me and changed my password. Never got an email about changing my password from FB. Then an hour later, I got another FB notification that someone in Simi Valley, CA is trying to sign in. I again said, not me. I again changed my password. At this point, I was concerned. Then a few hours later, i get a FB notification that someone accepted my friend request. I know i have not sent out any friend request in a year. I go to the app and fi get a notification, that my instagram account, (which i do NOT have one) was diabled for violating community standards. Somehow, FB allowed someone with a different name connect their instagram to my FB! There is absolutely zero help from FB. I have lost my entire chronic pain, depression and support groups and its devasting. Ive since created a new FB, same name but because its new I can’t get into alot of groups. my friends haven’t accepted my new friend request because they probably think its a hack. I have several business pages and groups that i was the sole admin for. I have one i had put my daughter on as an admin but for some reason she can’t add me as an admin. Its just sucks

  18. Brad Avatar

    Same happened to me. ANY advice you can give me about any emails or contacts you have?

    1. jcforbes Avatar

      As of yet nothing to share besides the links I posted at the bottom. In one of the Reddit threads there is a couple of email addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *