CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Meta logo on a device screen showing account hijacking using account recovery tool
Cyber SecurityNews
·3 min read

Document Leak Reveals Meta Employees Took Bribes To Use Account Recovery Tool for Expedited Service, Account Hijacking

Scott Ikeda·December 2, 2022
TwitterFacebookLinkedIn

The Wall Street Journal is reporting that a leak of internal Meta documents reveals at least a year of internal abuse of an account recovery tool by various parties, who accepted bribes of up to several thousand dollars to recover locked accounts and in some cases even played an accomplice role in account hijacking.

The rogue employees and contractors abused an internal feature called “Oops,” which is primarily intended for in-house account recovery for employees and business partners. Increasingly widespread access to the tool translated into a big jump in abuse, as use of it more than doubled between 2017 and 2020.

Speedy service, account hijacking were available for a price at Facebook and Instagram

Anyone who has ever lost access to a Facebook account knows that the account recovery process is onerous at best, and in some cases impossible. Meta has never had anything more than a skeleton crew manning the customer service desks, relying on highly imperfect automated tools and algorithms to field the vast majority of requests for assistance with locked-out or stolen accounts. In desperation to reach an actual human, some have turned to purchasing Oculus VR headsets (which cost hundreds of dollars) simply because that branch of the company has a dedicated customer service line for hardware owners.

While most people struggle mightily with Facebook or Instagram account recovery, a select set of insiders and high-profile public figures get special access to swiftly resolve their issues. Meta’s internal “Online Operations” (Oops) tool is for them, providing a private email channel available to certain qualified individuals when they have account issues. This channel has reportedly existed for years, but did not run into serious trouble until recently when the amount of internal employees given access to it spiked.

One of the sources of spikes in Oops abuse appears to be contractor Allied Universal, which provides physical security to Meta facilities. Guards stationed on site at these facilities were apparently granted access to Oops despite being third-party contractors, and the leaked documents indicate some amount quickly made a side hustle out of this access. The documents reveal that some of these parties took bribes (or “fees”) of up to $7,000 to either expedite the account recovery of an outside party that would not normally have access to Oops, or to simply help out with someone’s account hijacking scheme.

The documents are part of an internal investigation into the issue ordered by Meta executives. After the brisk trade in Oops access was discovered, there was reportedly a wave of firings of both Meta employees and contractors that had been profiting from the system. It’s unclear when Oops was first made available, but the documents show that use of it steadily increased from 22,000 requests in 2017 to over 50,000 in 2020.

Account recovery tool restricted in the wake of internal investigation

The Oops system allowed Facebook employees (and select contractors) to email a private address with the email address of an account that they would like restored. So long as the request came from an approved source, the rules governing this appeared to be quite loose, allowing the employees to request expedited account recovery service on behalf of family, friends and business associates. Employees were only asked to list whether the request was on behalf of a personal contact, a Meta business partner, a celebrity or a member of Mark Zuckerberg’s personal team.

At least one of these internal sources was feeding a third-party account recovery service that charged people thousands of dollars for this special access. One of the cases listed by WSJ is that of an Instagram model who paid $7,000 to one of these services, whose owner confirmed that they had an “inside contact” at Meta who facilitated account recovery.

The report also indicates that some of the fired contractors were loathe to give up this lucrative side gig after being removed from the premises, reaching out to Facebook employees to assist in Instagram account hijacking schemes. One of these, who was named in the internal documents and interviewed, has been threatened with charges under the Computer Fraud and Abuse Act. The man claims that security contractors are briefed on the Oops service as part of employment but not told about any restrictions on its use. Meta says that it conducts standard training on the use of Oops as part of its onboarding process, to include phishing training.

Rogue Meta employees and contractors abused an internal tool primarily intended for in-house account recovery for employees and business partners. There were some cases of account hijacking for money. #cybersecurity #respectdataClick to Tweet

In total about 24 Meta employees and contractors were fired over bribe-taking or account hijacking issues. Meta has told the media that it has taken “appropriate action” to secure the system. Account hijacking has become an increasing problem recently, as criminals find creative new means of monetizing social media accounts that were previously seen as having too little value to expend any real energy in attacking.

 

TwitterFacebookLinkedIn
Tags
Account HijackingAccount RecoveryMeta
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Closeup of man holding a fake moustache showing Meta sued surveillance company for data scraping with fake accounts
Data PrivacyNews

Surveillance Company Voyager Labs Sued by Meta for Data Scraping, Use of Fake Accounts

January 26, 2023
Meta logo in mobile phone showing Irish DPC fine to Meta for consent over targeted advertising
Data ProtectionNews

Irish DPC Orders €390 Million Fine to Meta Over Targeted Advertising, Orders Implementation of Ability To Opt Out

January 9, 2023
Facebook logo and money showing Cambridge Analytica scandal settlement
Data PrivacyNews

Cambridge Analytica Scandal Slowly Coming to a Close as Meta Agrees to $725 Million Settlement

January 4, 2023
Meta logo on device screen showing GDPR fine for data scraping
Data ProtectionNews

€265 Million GDPR Fine for Meta Over Data Scraping Conducted Prior to 2020

November 30, 2022
Hand holding smartphone, logging into Facebook
Cyber SecurityNews

Meta Found More Than 400 Malicious Apps Designed To Steal Facebook Login Information on Official App Stores

October 17, 2022
iPhone in hand with Meta logo showing Apple privacy rules and in-app browsers
Data PrivacyNews

Lawsuit Accuses Meta of Dodging Apple Privacy Rules by Using Facebook and Instagram In-App Browsers

October 5, 2022
Finger tapping Instagram icon on black mobile phone screen showing GDPR fine for privacy settings
Data ProtectionNews

€405 Million GDPR Fine for Instagram Over Privacy Settings for Underage Users

September 9, 2022
Twitter logo on mobile phone screen showing Twitter API keys used for account hijacking
Cyber SecurityNews

Thousands of Mobile Apps Are Leaking Twitter API Keys, Could Be Used for Account Hijacking

August 12, 2022

Latest

Shield Icon against data and network showing zero trust and attack surface

Gartner: Slow Adoption and Expanding Attack Surface; Zero Trust Will Not Stop Over 50% Of Attacks by 2026

Hands holding smartphone using Google Fi service showing T-Mobile data breach

T-Mobile Data Breach Includes Massive Compromise of Google Fi Service, Unknown Quantity of Customer Records Exposed

Data Privacy’s Tipping Point: Where We Go From Here

Hacker using mobile smartphone calling victim showing remote monitoring and management software used in phishing of federal agencies

Hackers Breached Multiple Federal Agencies via Remote Monitoring and Management Software

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Stay Updated

Follow Us

© 2022 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results