An unknown and apparently large number of Facebook accounts appear to have been hacked in 2021 in a specific fashion — specifically, the account’s email address is changed (often to a Hotmail address), two-factor authentication (2FA) is enabled to the hacker’s phone, and users spend weeks or months fruitlessly attempting to recover their personal information.
In our attempts to assist someone resolving the problem, we found a massive trove of threads, comments, and posts reporting and discussing the issue. Almost unanimously, the hacked Facebook users reported having no ability to reverse the specific means of their Facebook account takeovers.
To measure the scope of the issue, we had to look outside Facebook, as the platform is notorious for (among other things) its lack of transparency. To that end, we searched “Facebook hacked” on Google Trends for the 90-day period ending on August 31 2021. Google Trends data indicated “Breakout” interest in “Facebook hacked,” along with “Facebook hacked email changed,” “Facebook hacked email changed to Hotmail,”and “Facebook hacked email changed 2021” — the latter query pointing at a high concentration of compromised Facebook accounts.
Initially, Facebook directs people to a specific URL (facebook.com/hacked), which appears at first glance to be helpful. But the listed options rarely elucidate the specific pattern seen in posts from 2021 across social media, in which the Facebook hack has changed the email address and then enabled two-factor authentication using an unknown device:
The general understanding of “hacking” includes accounts that are breached, accessed, and seized by unknown individuals. But the options listed only covered impostor accounts, content the poster “thought [was] private,” and cryptically, “I don’t see the right option on this list.”
One option, “Someone else got into my account without my permission,” didn’t address the hacked user’s inability to log in to their own Facebook. Further, most people attempting to regain access to their Facebook accounts are directed to two-factor authentication — which then triggers a text alert to whoever has seized control of their account.
Reddit’s r/facebook was awash in posts submitted by people whose accounts had been stolen, many of whose threads were posted in August 2021. A clear pattern was evident in titles, which mentioned changed emails and changed or newly enabled “2FA.” There were too many to count; the image represents just a minute sample:
One post from November 2020 was insightful due to the sheer volume of comments from Redditors experiencing the same problem:
In the above post, u/Haunted-muffin provided updates, describing a four-month long process to attempt to re-access their own account. They described the same issues we encountered while attempting to recover an account:
I was able to change the email and password but it’s now asking me for a 6-digit login code that it’s been sent to a phone number I don’t own. As they changed my phone number, I’m not able to get the code and access my account. I tried going to the “Find Your Account” page and I also submitted my ID one month ago but I haven’t heard anything from them.
What else can I try to get it back?
Edit: I just received an email saying they got my ID but due to covid and not enough staff they can’t review it now and to try later. There’s a small chance I can get my account back but not right now.
Edit 2: After 4 months, they were able to review my ID and I got my Facebook account back.
Edit 3: In my case, they activated the 2 Factor authenticator and changed the phone number where that code will be sent. I don’t remember exactly the steps, but I know I clicked on “forgot password” > selected the account with my name > I received a message saying they sent the code to that random phone number > I clicked the option “I don’t have access to this phone” > I eventually got to that form to submit my ID. This may also help: Confirm Your Identity With Facebook
Please note that I could only get my Facebook back because they changed my email and phone number but my name and picture was the same. They also take some time, in my case, 4 months.
So many commenters responded with the “same problem” that Reddit sorted them into a “continue this thread” link:
As far as the “same thing” endured by countless Facebook users, a generalized order of events appeared in most posts:
- The Facebook user is unable to access their account;
- The user attempts to use Facebook’s mechanisms for account recovery;
- In doing so, the user learns that someone has changed the email address on their account to an encrypted address;
- At some point in the process, the hacked Facebook user discovers a buried email from Facebook (typically received overnight) about the change to email, password, and/or phone number;
- Often (but not always), the email address is a Hotmail address;
- Facebook directs the user to use “Code Generator” to enter a six-digit code;
- The user realizes that whoever breached their account has either changed the phone number, or enabled two-factor authentication (2FA) to an unknown phone number;
- Facebook requests the user submit identification, almost always rejecting the ID;
- The user spends weeks or months cycling through the steps, unable to regain their access to Facebook account.
Where the Facebook hack issue becomes a widespread and persistent problem is that across posts on Reddit or Facebook Help Center, no paths exist for the account’s owner to recover the account. In most cases, the user is further distressed by the loss of memorabilia, photographs, and access to the walls of deceased loved ones who can no longer “re-add” them.
Although the majority of posts to r/facebook are posted and commented on by people who are unable to resolve the problem, at least one person shared a February 12 2021 post about the unusual way they recovered their Facebook account. In that instance, they spent $300 on an Oculus headset, which provided them access to phone support from Facebook.
As was almost always the case, u/thompsonbr87 reported that the hacker “changed my password, removed my email and phone number, and set up 2FA.” As such, two-factor authentication seemed to serve as an exploit, by which even people who had enabled it were twice thwarted by a change in phone number:
Part of the post above described how portions of Facebook’s account recovery process involved broken or expired links; we encountered that repeatedly. Facebook’s supposed protections, like review of identification, did not result in a successful recovery.
In fact, they were informed that the account “[could not] be recovered”:
I went through the usual password recovery methods and realized that the recovery email was not one that belonged to me. I tried the other suggestions on Facebook’s help pages, but as I’m sure you well know by now, Facebook customer support is not a thing.
I tried using Trusted Contacts. This almost worked. I was able to access my account, but as I was clicking through the recovery screens, I got an error message saying the link I used was expired. Damn. I tried a couple more times, but got messages saying something about exceeding the # of attempts to recover in a day.
The next day, Trusted Contacts is no longer an option. Instead, I go through the process of submitting an ID and an alternate contact email. And then I wait. And wait. And wait. I keep checking back, and all I ever see is, “You have already submitted your ID. We will get in contact when we have a chance to review.” Fast forward to a month later, I check back and get a new message. “Your account cannot be recovered because we cannot confirm your identity.” No further steps mentioned. No details or other options on how to confirm my identity – just a brick wall. I searched all over and found lots of people in the same boat who had just said, “Forget it!”
All searches related to the volume of Facebook accounts hacked in 2021 returned a number of social media posts or blog entries, but very little — if any — official information. Overwhelmingly, the posts presented a dead end; people often were faced with restrictions because of their repeated attempts to recover their accounts.
One such post appeared on the website of a travel blogger who was a victim of the specific Facebook hacking mechanism discussed across social media. Details of their experience were consistent with the other posts, but one portion of the blog post (“ABOUT THE TIME HACKERS ACTIVATED TWO-FACTOR AUTHENTICATION ON MY FACEBOOK ACCOUNT …”) hinted at an extremely widespread problem not being addressed by Facebook.
In that excerpt, the writer conceded that they were unable to provide answers — and that the post was surprisingly their most popular ever by a wide margin:
I always expected this Royal Wedding blog post to be my most popular, but instead this one has eclipsed it by some ways. I am sorry to hear that so many people are also dealing with Facebook’s two-factor authentication problem.
If you have not already done so, please make sure you report that your account has been hacked. A friend can do this for you by selecting the […] button from your profile then going to “Find support or report profile”. They should then be able to report it as hacked. You can also check out this website to see if any of the suggestions work for you.
I managed to get my account back after four months of going through the process of sending in my ID. I have no secret to recovering Facebook accounts: I simply went through the recovery process every 7-10 days, selecting that I could not authorise using 2FA. This meant that I wasn’t blocked for spamming Facebook. You can probably fill out the forms more often, but it will block you if you do too many in one day.
Eventually, the automated ID reader popped up and actually read my ID properly. As I wrote in the original blog post, this initially did not work for me; I’m unsure why.
At the end of the excerpted portion, the blogger’s advice underscored Facebook’s chaotic handling of the exploit. While they were one of the lucky few who managed to recover their account (after four months of attempts), the specific action resulting in recovery was something they had repeatedly tried to no avail.
We found at least two articles about the specific two-factor authentication exploit, one published by Lifehacker in March 2021 in the form of an “advice” post. Notably, the tenor of the advice held that no known method to recover one’s account was recommended, since all seemed to work intermittently, if at all.
Among the suggestions was purchasing Facebook’s Oculus headset (again, for hundreds of dollars), suggesting that the scope of the problem drove sales of the expensive device:
Going forward, make sure your husband sets up two-factor authentication on his Facebook account—whether he regains access to his existing account or gives up and makes a new one. That way, it will be virtually impossible for someone to break into his account unless they have physical access his smartphone or perform some kind of SIM-spoofing attack. And, as always, it’s critical to use a unique, strong password for Facebook that isn’t used with any other service. Ideally, one that will be kept safe via a dedicated password manager.
I wish I had better advice for you—or even some way to contact Facebook to get personal assistance with the problem. Unfortunately, Facebook’s automated tools are the best you’re going to get. Make sure he’s thoroughly exhausted all the options, even if it takes running through them multiple times, clicking all the various “help me” links along the way. He might even have to pester Facebook elsewhere. (Twitter DMs? Maybe even Oculus support, if he pretends to be a customer who needs access to his Facebook account to use one), or submit his ID multiple times (alongside increasingly snarky comments) before he regains access to the account.
Is this annoying? A hundred times yes. However, persistence will (hopefully) pay off.
On August 2 2021, NPR’s All Things Considered published “Your Facebook Account Was Hacked. Getting Help May Take Weeks — Or $299.” It began with one individual’s experience, before recounting several others’ inability to recover their Facebook accounts:
Angela McNamara’s first hint that her Facebook account had been hacked was an early-morning email warning that someone was trying to log into her account.
“If this is not you, don’t worry, we’re keeping your account safe,” she recalls the email from Facebook saying. But her relief only lasted a minute, when another email arrived, saying her password had been changed. Then another, notifying her that a two-factor authentication — an extra layer of security — had been set up for her account.
“And then from there I’m just like, ‘OK, it is gone,’ ” said McNamara, who lives outside Toronto. She tried Facebook’s automated process to recover her account: getting a backup code, resetting her password. But nothing worked.
This has been happening to a lot of people lately, and the experience has left many users nearly as frustrated with the social network as they are with the hackers. In July , NPR received 19 emails from listeners complaining that their Facebook accounts had been hacked or disabled. People share similar tales of woe on Reddit forums and Twitter every day.
NPR noted that victims of the exploit lose “money and memories,” and reported that at least two of the listeners who contacted the network purchased Oculus headsets in an attempt to recover their memories or prevent monetary losses. A particularly sad excerpt involved McNamara’s eventual decision to purchase a useless-to-her Oculus headset after she considered the amount of personal memorabilia she had stored on Facebook:
“I ultimately broke down and bought a $300 Oculus Quest 2,” [Brandon Sherman of Nevada City, Calif.] said. Oculus is a virtual reality company owned by Facebook but with its own customer support system.
Sherman contacted Oculus with his headset’s serial number and heard back right away. He plans to return the unopened device, and while he’s glad the strategy worked, he doesn’t think it’s fair.
When McNamara, the Facebook user in Canada, first heard about the Oculus trick, she thought it was a joke. But she said, “Once I started thinking about it, all my memories, I really realized that I wanted to do whatever possible to get it back.”
So she, too, ordered an expensive gadget she never planned to use and returned it as soon as she got back into her Facebook account.
(A warning to anyone thinking about trying this — other Reddit users have said they tried contacting Oculus support but were unable to get their Facebook accounts restored. Also, last week, Facebook said it was temporarily halting sales of the Oculus Quest 2, which retails starting at $299, because its foam lining caused skin irritation for some customers.)
NPR confirmed Facebook was definitely aware of the two-factor identification exploit — and that the platform assisted some of the people who spoke to NPR. We were unable to find any indication that Facebook created any sort of recourse for the innumerable number of people unable to recover the content and images entrusted to Facebook over a decade or more, but who did not have the time to experiment nor the money to buy a headset.
As for why so many Facebook accounts are being hacked in an identical and effectively unfixable fashion, no conclusive motivation appeared in any of the articles we located. It stood to reason that general restrictions on brand-new accounts made seized, years-old accounts valuable to scammers with nefarious intent.
Unfortunately for victims of Facebook’s email change and two-factor authentication hack, it is evident Facebook has been made aware of the problem and has elected not to address it or assist users in recovering the accounts they created. Workarounds often involved the purchase of a $300 Oculus headset, but even then there is no guarantee the account can be recovered. As it stands, an unknown but apparently large number of long-term Facebook users are unable to access their photographs, contacts, and the walls of deceased loved ones, and we were unable to find any consistent avenue for anyone to recover their account.