The Wall Street Journal is reporting that a leak of internal Meta documents reveals at least a year of internal abuse of an account recovery tool by various parties, who accepted bribes of up to several thousand dollars to recover locked accounts and in some cases even played an accomplice role in account hijacking.
The rogue employees and contractors abused an internal feature called “Oops,” which is primarily intended for in-house account recovery for employees and business partners. Increasingly widespread access to the tool translated into a big jump in abuse, as use of it more than doubled between 2017 and 2020.
Speedy service, account hijacking were available for a price at Facebook and Instagram
Anyone who has ever lost access to a Facebook account knows that the account recovery process is onerous at best, and in some cases impossible. Meta has never had anything more than a skeleton crew manning the customer service desks, relying on highly imperfect automated tools and algorithms to field the vast majority of requests for assistance with locked-out or stolen accounts. In desperation to reach an actual human, some have turned to purchasing Oculus VR headsets (which cost hundreds of dollars) simply because that branch of the company has a dedicated customer service line for hardware owners.
While most people struggle mightily with Facebook or Instagram account recovery, a select set of insiders and high-profile public figures get special access to swiftly resolve their issues. Meta’s internal “Online Operations” (Oops) tool is for them, providing a private email channel available to certain qualified individuals when they have account issues. This channel has reportedly existed for years, but did not run into serious trouble until recently when the amount of internal employees given access to it spiked.
One of the sources of spikes in Oops abuse appears to be contractor Allied Universal, which provides physical security to Meta facilities. Guards stationed on site at these facilities were apparently granted access to Oops despite being third-party contractors, and the leaked documents indicate some amount quickly made a side hustle out of this access. The documents reveal that some of these parties took bribes (or “fees”) of up to $7,000 to either expedite the account recovery of an outside party that would not normally have access to Oops, or to simply help out with someone’s account hijacking scheme.
The documents are part of an internal investigation into the issue ordered by Meta executives. After the brisk trade in Oops access was discovered, there was reportedly a wave of firings of both Meta employees and contractors that had been profiting from the system. It’s unclear when Oops was first made available, but the documents show that use of it steadily increased from 22,000 requests in 2017 to over 50,000 in 2020.
Account recovery tool restricted in the wake of internal investigation
The Oops system allowed Facebook employees (and select contractors) to email a private address with the email address of an account that they would like restored. So long as the request came from an approved source, the rules governing this appeared to be quite loose, allowing the employees to request expedited account recovery service on behalf of family, friends and business associates. Employees were only asked to list whether the request was on behalf of a personal contact, a Meta business partner, a celebrity or a member of Mark Zuckerberg’s personal team.
At least one of these internal sources was feeding a third-party account recovery service that charged people thousands of dollars for this special access. One of the cases listed by WSJ is that of an Instagram model who paid $7,000 to one of these services, whose owner confirmed that they had an “inside contact” at Meta who facilitated account recovery.
The report also indicates that some of the fired contractors were loathe to give up this lucrative side gig after being removed from the premises, reaching out to Facebook employees to assist in Instagram account hijacking schemes. One of these, who was named in the internal documents and interviewed, has been threatened with charges under the Computer Fraud and Abuse Act. The man claims that security contractors are briefed on the Oops service as part of employment but not told about any restrictions on its use. Meta says that it conducts standard training on the use of Oops as part of its onboarding process, to include phishing training.
In total about 24 Meta employees and contractors were fired over bribe-taking or account hijacking issues. Meta has told the media that it has taken “appropriate action” to secure the system. Account hijacking has become an increasing problem recently, as criminals find creative new means of monetizing social media accounts that were previously seen as having too little value to expend any real energy in attacking.
