WILMINGTON, Delaware — It was over within minutes. That’s Annene Burgos’ recollection of how quickly her most popular Facebook pages, with more than 33,000 likes combined, slipped through her fingers. She had simply followed instructions received in a message on the site. That message, which appeared to come from Facebook itself, had warned Burgos that her most popular page, The Power of 3, had been flagged as fraudulent. It included the steps to take in order to verify that it was a legitimate, human-run page. The name of the page proved eerily prophetic. After following the steps and entering her credentials, Burgos soon found that she had lost control of three of her most popular pages.
“I’m very leery of scams, hackers, and all kinds of stuff like that,” Burgos said. “I’m not going to be stupid enough to just click a link and follow it.” But she was convinced that this message was from a Facebook employee, and opted to trust the instructions.
The three people listed as the page owners soon found that they had also been removed, as had the three administrators. On the pages themselves, which included The Power of 3, WOMAN TO WOMAN: Our First Amendment right to Bitch and Tormented and Crazy as F*ck 2 Resurrected, a series of malicious click-bait links started appearing in lockstep, attempting to draw in the many followers and get them to engage.
Burgos got a security message advising that there had been an attempt to log in to her account from Virginia, and quickly changed her password. She saved her private account, but her pages were not so lucky.
On one level, this is a cautionary tale about hackers who have become exceedingly sophisticated in their attempts to capitalize on the success of hard-working, honest users. Burgos, who also goes by Rhiannon, said that she has spent years building up a following for her pages only to have it all taken away.
The hackers were selective in what they took. Burgos manages a number of other pages. Unlike the stolen pages, the others have likes only in the hundreds or low thousands, and were apparently not worth taking.
For nearly a week now, the three hacked pages have been pumping out spam links to all of Burgos’ followers, who may have been taken in by the source and clicked on them. Doing so would only lead them on their own journey into the world of virtual victimhood. The fact that her pages have largely Pagan audiences may have heightened that risk. Some users place a higher level of faith in links that appear to be shared within one’s own faith community.
But this isn’t just a story about Facebook users being inattentive, gullible, or too trusting. While the social media giant itself may not have been complicit in the events that led to Burgos and her co-admins losing control of the pages, Facebook has demonstrated a lack of responsiveness once the situation was reported. “Myself and the other admins, and a lot of other people, reported the pages repeatedly,” she said, but for nearly a week, the lack of a response earned a big, fat “dislike” from them. “I even wrote on Mark Zuckerberg’s page, saying that these pages had been hacked and were now posting spam. I asked him to get me the pages back, or at least take them down. I didn’t expect him to answer,” but out of desperation, she tried anyway.
Burgos also made the futile attempt of warning her former fans by posting on the hacked pages and commenting on the suspicious links. She warned people not to click and encouraged them to report the pages themselves. She gave up that effort because she couldn’t keep up, and it wasn’t clear if it was helping turn the tide anyway.
Meanwhile, Burgos and her associates were experiencing what may well have been other effects of the hacking, although it’s not really clear. After she received the notification of the login attempt from another state, Burgos started receiving friend requests from a particular character. “They were random requests from people with one friend,” she recalled. “I don’t know if they were the hackers, but I thought it was weird and denied them all.”
A few days later July 11, Burgos was automatically logged out of her account and advised that she needed to address a problem with an image that she had posted. Although it depicted a fully-clothed woman, the graphic had been reportedly flagged for nudity. While an automatic flagging system might not be expected to know the difference between clothing and skin, Burgos was advised that the image was deemed a violation of Facebook’s terms and would be removed. The image, first posted on July 7, has not yet been removed as of this writing.
The two people who shared ownership in the three hacked pages also found themselves facing similar accusations. They quickly realized that the image flagging all took place within the space of one hour.
“All of our profiles are private, so only our friends can see the pictures,” Burgos said. “I figured that it must have been a mutual friend who did it,” but her investigation showed that they didn’t actually have any friends in common among all three of them, resulting in another dead end.
The Wild Hunt did attempt to contact a Facebook staffer who had been responsive in the past, but discovered that she is no longer with the company. And, her replacement did not respond to our numerous voice and emails seeking comment. If he had done so, we would have asked for ways that Facebook users can remain vigilant against hackers who are becoming increasingly crafty, and what measures Facebook itself is taking to address these concerns.
Regarding both the lack of a human response to Burgos and the odd response to the flagging of non-nude images, Facebook was asked in our email if and when the company actually expects human beings to evaluate these situations. Shortly after the attempt to contact Facebook, all three of the pages were removed from public view. It’s not known if the timing of this action was a coincidence or was precipitated by the contact attempts.
Facebook has a longstanding reputation of avoiding any sort of human-based customer service, a situation which stymied Herman Mehta, the so-called Friendly Atheist, when his own page was hacked. Mehta may have cracked the near-impenetrable Facebook fortress, because it appears he has had his page restored, but he apparently has certain advantages. He wrote:
I got mine back because a friend of a friend knew someone at Facebook who could fast-track it back into my hands. Sneaky option: Tell Facebook you want to buy advertising, [a]nd then say you would buy it but someone got ahold of your page. Can’t promise it’ll help, but they’re much more likely to help you if they think you’ll give them money. Also, you’ll get to talk to a human.
Security vulnerabilities at Facebook made worldwide headlines in 2013, when a Palestinian researcher hacked Mark Zuckerberg’s own page in a last-ditch attempt to notify the company about a security flaw. That particular hole was apparently plugged, but it seems new leaks continuing to spring up, and the company has beefed up neither security nor customer service sufficiently to respond.
Burgos has started new versions of several pages, with The POWER of 3 -pagan path already having gathered more than 1,300 likes as of this writing. But that is still less than 10% of the old page’s following.
As of this morning July 15, Burgos reported that all three of her former pages were live again, with fresh new inappropriate content. Followers of those pages have already been expressing outrage, and Burgos is hoping that no one will fall prey to what are likely malicious links posted at The POWER of 3, Tormented and Crazy as F*ck 2 Resurrected, and WOMAN TO WOMAN: Our First Amendment right to Bitch, all of which are offering identical — and clearly inappropriate — content.
“I just want my story to warn people,” said Burgos. “I know that there are people whose livelihoods come from selling through Facebook, and I can’t imagine how something like this would affect them.”