I was banned permanently, without recourse, because of a security flaw in Facebook’s 2FA system. This is my story.
3/10/23 Update: At some point, I’ve been un-banned from WhatsApp! No idea when or how, I just opened WhatsApp today to show somebody the error message, and voila, it said my account was enabled and had me answer a few questions (phone number, email, etc type stuff), and now it works. This is a huge help.
1/29/23 Update: Some new developments for the good, and some for the very very bad are posted at the bottom.
In November of 2022, I was banned permanently from all Meta products – Facebook, Messenger, Instagram, and WhatsApp most importantly. Not only were my personal accounts banned, but my business Facebook page is now orphaned with no admin, and my business Instagram was deleted. Meta has given me no way to resolve the issue and if you are reading this I remain banned. Here’s how it happened.
November 8th, 2022 was a normal Tuesday. I went to work, I posted a photo on my business Instagram for work we were doing, and I chatted with a dozen people on Messenger. In particular, I was chatting with my ex and my son about his upcoming trip to visit me for Thanksgiving. I had booked him a flight and I sent them the details of the flight to add to their calendar. I had dinner with my family at home, watched some TV, and went to bed around 11pm.
The next morning I woke up to a text message from my ex. “Hey, what happened to your Facebook?”. Uh, nothing, I thought. I went to the Facebook app on my phone and couldn’t log in. How strange. I then went to my email, and saw this:
At 1:10am Facebook sent out this notification email with an account recovery code. I, obviously since I was sleeping, didn’t initiate this. I then noticed another two emails:
At 3:22am somebody accessed my Facebook account, and at 3:25am I was sent an email that my account had been disabled. Of particular note here I had 2 Factor Authentication turned on and set to use the Google Authenticator app, not SMS nor email, yet Facebook somehow allowed somebody in without the 2FA being done. The most likely scenario is that my email password was compromised and there’s a backdoor to disable 2FA after doing a password reset request which is a huge security flaw that shouldn’t exist. There should be no situation where, even with access to my email, Facebook should have allowed a login to bypass the authenticator app.
As I’ve been accused of being a victim of phishing, please do note the order of operations here – I had 1st tried to use the app and was locked out and only then went to my email. I had received all 3 emails before interacting with any of them. I was called names for not noticing that the domain is “facebookmail.com” rather than facebook.com, however, facebook’s own help articles clarify that this is a valid domain.
Original page here:
https://www.facebook.com/help/1634546593478660/?helpref=uf_share
Obviously, I hit the “disagree with decision” button there. I was brought to a page that asked me to confirm my identity by uploading a photo of my driver’s license which I did immediately, and received the following:
Facebook sent an automated reply that they would review the situation and get back to me. A few hours later I received this:
That’s it, done, finito, gone. I searched high and wide for further contact methods. For a way to talk to a human. There is none. At all. I eventually was able to find a page in their help that allowed me to submit a dispute, however, after filling out the form and clicking submit I saw this:
To make matters worse I soon realized that not only had my personal Instagram been simply deleted (not disabled), but also my business Instagram account is gone. GONE. Similarly, there is no contact mechanism for Instagram. That’s it, gone. My business relies heavily on promotion from Instagram, as does most of my industry. The account had been active since 2014 with hundreds of photos and videos showcasing projects we were involved in. GONE.
As for my business Facebook page, it still exists. However, I was the only admin. There are two other people who have permissions to post, but nobody can add new users, and neither of those people are in a position to post to the page for me so the place is now a ghost town. At least it still exists I guess. If you learn one lesson from this as a business owner it should be to have a backup admin – a friend or colleague you can trust, a parent, a child, SOMEBODY who can have full admin control to be able to add and remove users.
But what about WhatsApp? Oh yeah, that too. More than a month after this fiasco I was using WhatsApp to talk to overseas business contacts and in the middle of a conversation it logged me out. Upon attempting to log in I see this:
So there it is, a complete trifecta of business resources destroyed. Messenger chat history is gone, friends and contacts that I don’t even have phone numbers for are gone, and don’t even have a way to know that I’m alive until I hopefully run into them at work functions this year.
What’s next? Well, you’d think I could just use a different email and create a new identity on Facebook and simply start over. Nope. I tried, and I shared zero contact information with my prior account, but after 4 days that account was banned for being a duplicate account to my other banned account. That’s it. In the eyes of Meta I don’t exist any longer. The thousands of dollars I paid for adverts for my business don’t matter, and they don’t want more of them. There’s simply no recourse here unless this story finds its way to somebody who chooses to take action.
I’m not the only one, either. It appears that a rash of this occurred in the months before and since. I’ve found other blogs about it, and I’ve mentioned it to friends who have told me “oh yeah, the same thing happened to x person I know”. Maybe, just maybe, somebody at Meta will see this and these people can be helped.
1/29/23 Updates: Someone at Meta reached out to me on Reddit, but I didn’t trust they were who they said so he followed up on LinkedIn and appears to be who he says he is. He’s not in a position himself to take any direct action, but he has forwarded some info on to “the right team” and who knows, maybe something will come of it.
In other news, I’ve discovered a new level of this hell. Because I used Facebook as a login service for my account with the DMV I am now unable to pay my vehicle taxes nor renew my registration/tags online. Obviously, I can do this in person, but who wants to GO to the DMV? Not I, that’s for sure.
Please share your experience in the comments! Any useful links, other stories, and relevant posts will get added to the link below.
Others:
https://perfectionhangover.com/facebook-disabled-deactivated-my-account/ – Check out the comments on this one with many many people having this happen!
https://emilycordes.com/facebook/ – This one actually got fixed after gaining enough traction to reach somebody at Facebook who could fix the issue!
This Reddit post says they were able to fix it! Maybe there’s hope? https://www.reddit.com/r/facebook/comments/10hjdt2/i_got_my_facebook_back_after_being_suspended_for/
Dozens upon dozens of people have taken to Google Maps reviews to try to tell similar storries:
https://g.co/kgs/1XqZeA
Leave a Reply