Meta Employees, Contractors Engaged in Account Hijacking Schemes Using Internal Account Recovery Privileges

by | Dec 5, 2022

One of the perks of being a Facebook or Instagram employee is access to a special internal account recovery tool, expediting a process that can take weeks or months for regular users (if it ever happens at all). This perk was even extended to certain third-party contractors, such as security guards stationed at company facilities. A new report from the Wall Street Journal indicates that some employees abused their access to this internal channel for cash, in some cases even engaging in account hijacking plots.

The “Oops” tool allows employees to get a quick response to requests to unlock Facebook usernames that they submit, and they are permitted to ask on behalf of friends and family. As Meta expanded the amount of employees and contractors that were allowed to make use of Oops, abuse of it appears to have grown exponentially.

Facebook internal investigation turns up endemic abuse of account recovery tool

Widespread internal access and apparent loose monitoring of Oops requests between 2017 and 2020 gradually created a thriving black market, with Meta employees and contractors taking money to perform account recovery for outsiders who would not normally have access to the tool. At least a few took it a step further and attempted account hijacking schemes for profit.

At least one Meta employee was working in tandem with a third party “account recovery service” that simply passed along client usernames to them for unlocking. The documents indicate that an Instagram model paid this service a one-time fee of $7,000 to have her account unlocked, the largest amount noted by the leaked papers.

The problem was apparently acute among contractors working for Allied Universal, the company that provides security guards to Meta facilities. One of these contractors left Allied Universal and then reached out to a Facebook employee in an attempt to regain access to Oops, proposing that they partner in Instagram account hijacking for profit.

The documents indicate that a total of 24 Meta employees and contractors were let go for abuse of the account recovery tool, though it appears that the vast majority of these cases were some sort of pay-for-play expedited unlocking rather than account hijacking attempts.

Does an account hijacking risk remain?

The documents spring from an internal investigation ordered by Meta executives in 2020, and it appears that internal access to Oops has been tamped down and that the current risk of account hijacking in this way is negligible. The news will no doubt unsettle many Facebook and Instagram users, however, and likely infuriate those that have tried for months to get an account unlocked without being able to get a direct response.

The issue puts a new spotlight on Meta’s general lack of customer service across its various platforms, a longtime issue that has seen the company attempt to handle account recovery and similar user problems with automated systems that often prove to be inadequate to the task. The documents reveal that celebrities could have their requests piped into the Oops system, as well as business partners of a Meta company.

There were 22,000 Oops requests in 2017, and the number increased by around 10,000 per year until it was at over 50,000 in 2020 when the internal investigation was conducted.

Recent Posts

Attempted Audio Deepfake on LastPass is “The New Normal” for Voice Phishing
Attempted Audio Deepfake on LastPass is “The New Normal” for Voice Phishing

Employee targeted in the voice phishing attack received several different deepfake call attempts and at least one voicemail message, but did not respond as it’s exceedingly rare for anyone to communicate internally via WhatsApp, let alone for the CEO to randomly start peppering an employee with messages after business hours.

How can we help?

9 + 9 =

× How can I help you?