Menu
EN

Giant Oops: Meta’s hijacking scandal shows once again Big Tech doesn’t care about your security or privacy

Meta has never ranked high on the privacy or security charts, being notorious for sharing user data with shady actors, scraping sensitive information from hospitals and financial websites, and allowing millions of users’ personal data to be leaked. It would seem that Meta should have exhausted all possible options for violating users’ trust by now, but the tech giant is used to defying expectations.

Still breaking into things

Two dozen Meta workers and contractors have been disciplined or fired for abusing a secretive internal tool to take over user accounts, sometimes for thousands of dollars in bribes, the Wall Street Journal reported. The tool, fittingly named “Oops” (short for Online Operations), was designed to serve as a shortcut for Meta workers to reset accounts for colleagues, family, friends, and public figures.

Facebook, even before CEO Mark Zuckberg renamed it Meta, was trying to distance itself from the old motto “move fast and break things.” But even though the phrase has now been neutered to just “move fast”, “breaking things” slogan appears to still hold true. In one especially egregious case mentioned in the report, a security contractor was allegedly found to have reset “multiple user accounts on behalf of hackers, receiving thousands of dollars in bitcoin” for the service.

Meta may have abandoned its “move fast, break things” slogan, but its actions speak otherwise
Photo: CHUTTERSNAP/Unsplash

Meta’s very cavalier, if not reckless, attitude in granting access to the tool, is partially to blame for the “oops”․ Another security guard, whom Meta accused of monetizing the shortcut, said access to the tool came bundled with access to the Facebook intranet, a local network where employees could safely share company information. The guard claimed that the tool itself and how to use it (or rather, how not to use it) wasn’t covered in training. “They didn’t have any set of rules or give you a class on what to expect,” he said. The contractor considered his privileged access to Online Operations a nice bonus — and did not hesitate to avail himself of it. Confronted by Meta, he claimed he thought he was doing a good thing — helping legitimate owners to retrieve their accounts.

A case of misplaced priorities

It’s not clear from the report how many Meta employees and contractors were fired and how many were “disciplined” or received a slap on the wrist, and Meta does not want to spill any more beans. What’s concerning is that the popularity of the account-resetting tool has skyrocketed in the past few years. In 2017, the secret channel was used to process 22,000 tasks, while in 2020 their number shot up to 50,270.

To be fair, the number of full-time Meta’s employees more than doubled between 2017 and 2020 — from 25,000 to 58,000. However, as more people have access to the instrument allowing them to de-facto hijack any user’s account, the greater is the probability that it will be mishandled, either out of goodwill or malice.

The problem is not only the availability of the tool to a huge number of Meta employees, but also its very existence. On the face of it, such issues as reinstating an account and returning it to its rightful owner should be handled by a company's support desk. But in the case of Meta, the support service is almost as good as non-existent. Either by design or by an incomprehensible oversight for a company of this caliber, until recently Meta turned a blind eye to customer support, not having a hotline to handle recovery requests in a timely manner.

Reportedly, it could take Meta anything from 48 hours to 45 days to process a request. Of course, you can follow Facebook guidelines to try to recover your account on your own, but if a hacker has changed your password and email and unlinked your phone number from your profile, you’re out of luck. Those who have lost access to their accounts and need them back as soon as possible (for business reasons or otherwise) are pushed to turn to the so-called “account restoration specialists,” who sometimes claim to have connections at Meta.

Meta employees helped hackers to take over users’ accounts
Photo: Towfiqu barbhuiya/Unsplash

Such a system is a breeding ground for corruption, because the likelihood of success depends not on the merit of your claim, but on whether you know the right people and how close you are to them. Literally.

An Onlyfans model claimed earlier this year that she had sex with multiple Meta employees to get her Instagram account unbanned. “All you have to do is have someone really really like you, and you’ll eventually get your account back,” she told the ‘No Jumper’ podcast in May. In the light of the Journal’s report, the story does not look far-fetched.

Given that Instagram is approaching 2 billion monthly active users, and that Facebook has nearly 3 billion people logging in every month, servicing all of them is not a cakewalk. However, the fact that Meta is pumping billions into its metaverse project with little or no return suggests that the company has the resources to spare, just that the user and their security is apparently not its top priority.

Too little, too late?

A year ago, Meta began testing live chat support in its Facebook app for a limited number of its English-speaking users. It was “the first time Facebook has offered live help for people locked out of their accounts,” the tech giant then proudly declared. This month, Meta said that live support has become available to more than 1 million people, and that it has been seeing “positive results.” The company confirmed it will be rolling out the feature to 30 more countries (in addition to the original nine, including the US), but has not specified how many users would eventually get it.

In August, Bloomberg reported that Meta has also started building a “customer-service division” that would deal with complains from users whose posts and accounts were taken down. Long overdue, one would think.

What the new scandal teaches us

The “Oopsgate” deals another blow to Meta’s reputation, raising the question of just how much control and access Meta workers have over user data. It also shows that disregard for user security and privacy runs through the company’s operations. This is perhaps unsurprising, since Meta’s main focus and source of revenue is collecting user data for targeted advertising, and not privacy or security.

In practice, this means that we have to be very careful when entrusting our data to Meta and other tech companies that handle large amounts of user data and share its business model. Enabling two-factor authentication, keeping your contact information up to date, not clicking on a login code you didn’t ask for are some of the rules that will help protect your data from hackers, but on a broader scale, they’re not foolproof.

When it comes to cyber security, we should not be fooled into thinking that tech behemoths are virtually invulnerable to any internal incident or external attack, because they supposedly employ top talent and use best practices. Not long ago, we wrote about the infamous hacker group Lapsus$, which collected the scalps of several tech giants, including NVIDIA and Samsung, while literally being a bunch of teenagers with laptops. Besides, bad apples that would abuse internal tools can be found just about everywhere

Truth be told, neither Instagram nor Facebook are probably the best places to have private conversations and share intimate photos, even without the added risk of being hijacked by an unscrupulous Meta employee. Neither Facebook or Instagram are end-to-end encrypted by default yet, and Meta has repeatedly shown that it is willing to breach user privacy at the request of law enforcement. If you don’t want to take chances with Meta, you might want to try an end-to-end encrypted messenger that focuses on privacy and security, such as Signal. It’s worth keeping in mind, though, that end-to-end encryption is not a panacea. For example, WhatsApp has end-to-end encryption, but is also notorious for collecting huge amounts of unencrypted metadata, that it can share with police and WhatsApp’s parent, Meta.

So, bottom line: be careful with who you trust, do your research, assess risks, use available security measures and tools, and never let your guard down.

Liked this post?
By downloading the comments you agree the terms and policies

AdGuard
for Windows

AdGuard for Windows is more than an ad blocker. It is a multipurpose tool that blocks ads, controls access to dangerous sites, speeds up page loading, and protects children from inappropriate content.
User Reviews: 18635
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard
for Mac

AdGuard for Mac is a unique ad blocker designed with macOS in mind. In addition to protecting you from annoying ads in browsers and apps, it shields you from tracking, phishing, and fraud.
User Reviews: 18635
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard
for Android

AdGuard for Android is a perfect solution for Android devices. Unlike most other ad blockers, AdGuard doesn't require root access and provides a wide range of app management options.
User Reviews: 18635
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard
for iOS

The most advanced ad blocker for Safari: it makes you forget about pop-up ads, speeds up page loading, and protects your personal data. A manual element-blocking tool and highly customizable settings help you tailor the filtering to your exact needs.
User Reviews: 18635
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard Browser extension

AdGuard is the fastest and most lightweight ad blocking extension that effectively blocks all types of ads on all web pages! Choose AdGuard for the browser you use and get ad-free, fast and safe browsing.
User Reviews: 18635
4.7 out of 5

AdGuard for Safari

Ad blocking extensions for Safari are having hard time since Apple started to force everyone to use the new SDK. AdGuard extension is supposed to bring back the high quality ad blocking back to Safari.
User Reviews: 18635
4.7 out of 5
Available on the
App Store
Download
By downloading the program you accept the terms of the License agreement

AdGuard Home

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
User Reviews: 18635
4.7 out of 5

AdGuard Content Blocker

AdGuard Content Blocker will eliminate all kinds of ads in mobile browsers that support content blocker technology — namely, Samsung Internet and Yandex.Browser. While being more limited than AdGuard for Android, it is free, easy to install and still provides high ad blocking quality.
User Reviews: 18635
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard Assistant

A companion browser extension for AdGuard desktop apps. It offers an in-browser access to such features as custom element blocking, allowlisting a website or sending a report.
User Reviews: 18635
4.7 out of 5
Assistant for Chrome Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Firefox Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Edge Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Opera Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Yandex Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Safari Is it your current browser?
If you can't find your browser, try the old legacy Assistant version, which you can find in AdGuard extension settings.
Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device