Giant Oops: Meta’s hijacking scandal shows once again Big Tech doesn’t care about your security or privacy
Meta has never ranked high on the privacy or security charts, being notorious for sharing user data with shady actors, scraping sensitive information from hospitals and financial websites, and allowing millions of users’ personal data to be leaked. It would seem that Meta should have exhausted all possible options for violating users’ trust by now, but the tech giant is used to defying expectations.
Two dozen Meta workers and contractors have been disciplined or fired for abusing a secretive internal tool to take over user accounts, sometimes for thousands of dollars in bribes, the Wall Street Journal reported. The tool, fittingly named “Oops” (short for Online Operations), was designed to serve as a shortcut for Meta workers to reset accounts for colleagues, family, friends, and public figures.
Facebook, even before CEO Mark Zuckberg renamed it Meta, was trying to distance itself from the old motto “move fast and break things.” But even though the phrase has now been neutered to just “move fast”, “breaking things” slogan appears to still hold true. In one especially egregious case mentioned in the report, a security contractor was allegedly found to have reset “multiple user accounts on behalf of hackers, receiving thousands of dollars in bitcoin” for the service.
Meta’s very cavalier, if not reckless, attitude in granting access to the tool, is partially to blame for the “oops”․ Another security guard, whom Meta accused of monetizing the shortcut, said access to the tool came bundled with access to the Facebook intranet, a local network where employees could safely share company information. The guard claimed that the tool itself and how to use it (or rather, how not to use it) wasn’t covered in training. “They didn’t have any set of rules or give you a class on what to expect,” he said. The contractor considered his privileged access to Online Operations a nice bonus — and did not hesitate to avail himself of it. Confronted by Meta, he claimed he thought he was doing a good thing — helping legitimate owners to retrieve their accounts.
A case of misplaced priorities
It’s not clear from the report how many Meta employees and contractors were fired and how many were “disciplined” or received a slap on the wrist, and Meta does not want to spill any more beans. What’s concerning is that the popularity of the account-resetting tool has skyrocketed in the past few years. In 2017, the secret channel was used to process 22,000 tasks, while in 2020 their number shot up to 50,270.
To be fair, the number of full-time Meta’s employees more than doubled between 2017 and 2020 — from 25,000 to 58,000. However, as more people have access to the instrument allowing them to de-facto hijack any user’s account, the greater is the probability that it will be mishandled, either out of goodwill or malice.
The problem is not only the availability of the tool to a huge number of Meta employees, but also its very existence. On the face of it, such issues as reinstating an account and returning it to its rightful owner should be handled by a company's support desk. But in the case of Meta, the support service is almost as good as non-existent. Either by design or by an incomprehensible oversight for a company of this caliber, until recently Meta turned a blind eye to customer support, not having a hotline to handle recovery requests in a timely manner.
Reportedly, it could take Meta anything from 48 hours to 45 days to process a request. Of course, you can follow Facebook guidelines to try to recover your account on your own, but if a hacker has changed your password and email and unlinked your phone number from your profile, you’re out of luck. Those who have lost access to their accounts and need them back as soon as possible (for business reasons or otherwise) are pushed to turn to the so-called “account restoration specialists,” who sometimes claim to have connections at Meta.
Photo: Towfiqu barbhuiya/Unsplash
Such a system is a breeding ground for corruption, because the likelihood of success depends not on the merit of your claim, but on whether you know the right people and how close you are to them. Literally.
An Onlyfans model claimed earlier this year that she had sex with multiple Meta employees to get her Instagram account unbanned. “All you have to do is have someone really really like you, and you’ll eventually get your account back,” she told the ‘No Jumper’ podcast in May. In the light of the Journal’s report, the story does not look far-fetched.
Given that Instagram is approaching 2 billion monthly active users, and that Facebook has nearly 3 billion people logging in every month, servicing all of them is not a cakewalk. However, the fact that Meta is pumping billions into its metaverse project with little or no return suggests that the company has the resources to spare, just that the user and their security is apparently not its top priority.
Too little, too late?
A year ago, Meta began testing live chat support in its Facebook app for a limited number of its English-speaking users. It was “the first time Facebook has offered live help for people locked out of their accounts,” the tech giant then proudly declared. This month, Meta said that live support has become available to more than 1 million people, and that it has been seeing “positive results.” The company confirmed it will be rolling out the feature to 30 more countries (in addition to the original nine, including the US), but has not specified how many users would eventually get it.
In August, Bloomberg reported that Meta has also started building a “customer-service division” that would deal with complains from users whose posts and accounts were taken down. Long overdue, one would think.
What the new scandal teaches us
The “Oopsgate” deals another blow to Meta’s reputation, raising the question of just how much control and access Meta workers have over user data. It also shows that disregard for user security and privacy runs through the company’s operations. This is perhaps unsurprising, since Meta’s main focus and source of revenue is collecting user data for targeted advertising, and not privacy or security.
In practice, this means that we have to be very careful when entrusting our data to Meta and other tech companies that handle large amounts of user data and share its business model. Enabling two-factor authentication, keeping your contact information up to date, not clicking on a login code you didn’t ask for are some of the rules that will help protect your data from hackers, but on a broader scale, they’re not foolproof.
When it comes to cyber security, we should not be fooled into thinking that tech behemoths are virtually invulnerable to any internal incident or external attack, because they supposedly employ top talent and use best practices. Not long ago, we wrote about the infamous hacker group Lapsus$, which collected the scalps of several tech giants, including NVIDIA and Samsung, while literally being a bunch of teenagers with laptops. Besides, bad apples that would abuse internal tools can be found just about everywhere
Truth be told, neither Instagram nor Facebook are probably the best places to have private conversations and share intimate photos, even without the added risk of being hijacked by an unscrupulous Meta employee. Neither Facebook or Instagram are end-to-end encrypted by default yet, and Meta has repeatedly shown that it is willing to breach user privacy at the request of law enforcement. If you don’t want to take chances with Meta, you might want to try an end-to-end encrypted messenger that focuses on privacy and security, such as Signal. It’s worth keeping in mind, though, that end-to-end encryption is not a panacea. For example, WhatsApp has end-to-end encryption, but is also notorious for collecting huge amounts of unencrypted metadata, that it can share with police and WhatsApp’s parent, Meta.
So, bottom line: be careful with who you trust, do your research, assess risks, use available security measures and tools, and never let your guard down.