It was just after 8 p.m. when Marjorie May got a message on Facebook from her niece, Emma Kangas, saying "I need your help."
May froze. Her niece had moved into her home several months earlier. Together, they were working on reducing the frequency of Kangas' epileptic seizures. Though May was certain her niece was in the house, she worried that she might be experiencing a health crisis in a bedroom several feet away. As she typed a hurried "OK" in response, she rose to her feet to go check on her.
To her relief, she found her niece in the living room, scrolling on her phone. "Are you messaging me on Facebook right now?" May recalled asking, before a new message popped into the inbox.
"Will you be able to loan me 200 bucks? I will pay you tomorrow with interest of 50 bucks."
Kangas' account was hacked.
May contacted Public Investigator in December. In her call, the Brookfield resident said her 20-year-old niece had been unable to deactivate the account, which continued to spam other friends and family members with urgent requests for money.
"I reported it. Her friend reported it. She started a new account, but this other profile was still showing up and we couldn't get it closed down," May said.
After repeatedly reporting the account as compromised, Kangas and May received two emails from Facebook. Each stated that Facebook had reviewed the activity on Kangas' account and found no evidence of suspicious activity.
Facebook does not provide an option to speak directly to a representative, so Kangas was unable to escalate her issue. Instead, she was directed back to the platform's "help center," which provides instructions on how to report a hacked account.
“These companies, I think they need to be held accountable," May said. "If you're going to automate and do all this cost saving stuff, that's great for certain things, but if somebody's getting hacked and it's their personal identity and personal data at stake, they should be able to talk to a live person and actually get help."
Since December, Facebook messages from the hacker have continued to arrive in friends and family members’ inboxes.
Public Investigator contacted Meta, the parent company of Facebook, in December, January, April and May in an attempt to get answers about the hacking of Kangas' profile.
Representatives from the company did not respond until late May, when Meta communications director Andy Stone said he would send Kangas' case to the Meta investigations team.
"This shouldn't be normal," Kangas said. "I feel like Facebook should do more to prevent this from happening to other people."
Facebook's history with data breaches and hacking
Meta has faced criticism about its handling of hacked accounts before.
In March, 41 attorneys general wrote a letter to Meta's Chief Legal Officer Jennifer Newstead complaining that the company had neglected hacking victims and exposed them to potential financial harm. The group includes Wisconsin Attorney General Josh Kaul.
"Our offices have experienced a dramatic and persistent spike in complaints in recent years concerning account takeovers that is not only alarming for our constituents but also a substantial drain on our office resources," they wrote.
Dorothea Salo, an information security and privacy expert at the University of Wisconsin-Madison, said Kangas' experience reflects the lack of regulations on tech companies to address hacking and security issues for its users.
"There aren't really laws mandating a certain amount of customer service," Salo said. "The United States courts do not have a clear evaluation of what the harms are when a social media account gets hacked."
Salo said many court cases about digital account privacy and protections hinge on whether there is "legally cognizable harm." The court must agree that the individual impacted has faced a significant level of harm and that a company like Facebook must take action to resolve the issue.
Salo said Facebook is also "notorious" for poor customer service and tech support, particularly for non-English speaking communities.
"They’re a lot worse than they have to be, I think because they’re so hyper-focused on making money through advertising and user surveillance," she said.
When asked why Facebook might choose not to provide a live chat option to users, Salo said it is likely an issue of scale. Facebook serves billions of users who speak hundreds, if not thousands, of languages, she said.
"If you have billions of users, you don’t have to care about just one," Salo said.
May, who used to work in the tech industry on AI automation projects, said her niece's experience reminded her of the necessity of human intelligence and interaction in addressing customer service and other issues, especially for individuals with developmental and neurological disabilities.
Kangas' Cash App and Chase bank account were also hacked within the same two weeks of the Facebook hack, but Kangas was able to cancel the Cash App payments and close her bank account.
May assumed that with so many of their family members reporting Kangas' Facebook account for spam and abuse, it would eventually be deleted or returned to her niece. However, despite the page going dormant for several months, the messages began again in April.
"I need your help," the hacker said in one such message. "Can you loan me some bucks of money still tomorrow. I will surely pay you back."
When she realized she had been hacked again, Kangas attempted to change the password on the account, she said. But the hacker had changed the email, password and phone number connected to the profile.
Kangas' frustration about the incident is about more than just the loss of hundreds of social connections and memories. She feels embarrassed and worried about how the messages sound to family members and friends.
"When you text my family late at night, saying I need help, they are now all worried about me having a seizure," she said.
After six months, Meta responds
In May, after 10 attempts to reach Meta's media department through email and social media, Stone responded to Public Investigator and asked for an email address to send Kangas an account reset link.
When Public Investigator contacted Meta two days later for an update, Stone said the company's investigative team was unable to identify a Facebook profile linked to Kangas' email address.
A Public Investigator reporter explained that was because hackers had changed the email and phone number affiliated with the profile — information that had also been stated in previous outreach to Meta's communications team.
On June 4, nearly seven months after Kangas' account was first hacked, Stone told Public Investigator that the company had successfully secured her account.
Facebook emailed Kangas a password reset code to restore the account, which she said allowed her to regain access to her account in minutes. She didn't understand why the resource was not offered sooner.
"I have all the pictures of my loved ones that have passed away that I couldn't get to because I couldn't get in the account," Kangas told Public Investigator. "So I feel like weight lifted off my shoulder now that I'm back into it."
Tactics for protecting your social media accounts
Over the past decade, a variety of tactics have emerged for social media users to protect their accounts from hackers.
Salo recommends establishing multi-factor authentication on social media accounts. Multi-factor authentication is when an account requires a password and one or two additional security questions to be answered before granting access.
Salo said there are many types of internet scams, like phishing emails with fake links and ransomware. But the reason why hackers target Facebook and Instagram accounts is because they can masquerade as the account owner, she said.
"If you can convince somebody that one of their friends or their family members is in serious trouble and needs money right away, well, you can get money from people," Salo said. "So impersonation scams are the big ones that I would be concerned about."
According to Stone, Facebook uses automated technology systems and teams of account reviewers to detect "potentially violating content and accounts on Facebook and Instagram."
Stone did not answer follow-up questions from Public Investigator, including why emails to Meta's press team about Kangas' account went unanswered for six months, why the company does not maintain a live chat or customer service help line to address user concerns, and whether there are risks to linking Facebook and Instagram profiles.
Instead, Stone provided a list of security tips to avoid account compromise.
The tips include picking a strong password and not sharing it across platforms, keeping an eye out for malicious software, and using two-factor authentication on Facebook and Instagram accounts.
Since restoring her account, Kangas has started to delete several posts the hacker made to her feed requesting money and Cash App payments. She is also notifying friends of the page's recovery.
When asked what she wishes Facebook would do in the future to prevent experiences like her own, Kangas said, "I just wish they would take the reports more seriously."
Tamia Fowlkes is a Public Investigator reporter for the Milwaukee Journal Sentinel. Contact her at tfowlkes@gannett.com.
More tips for protecting your Facebook account from hackers
The federal Cybersecurity and Infrastructure Security Agency recommends four strategies for protecting your digital security and personal information online:
- Turn on multi-factor authentication. After opting in to multi-factor authentication, users are required to enter their password in addition to another security question to log into their account. You might be asked to enter a pin number, receive a confirmation text or push notification on your phone, or use fingerprint or face ID to access your account.
- Turn on automatic software updates in all of your devices. Experts say that systems that have not been updated are more susceptible to flaws and gaps in the system that allow hackers to access an account. To set up automatic updates, check your device settings.
- Use strong passwords and a password manager that generates and stores unique passwords for your digital accounts. Some popular password managers include Bitwarden, 1Password, Dashlane, and, for Apple users, the macOS password manager Keychain. Passwords should be at least 16 characters long, be unique and never used anywhere else, and, ideally, be randomly generated.
- Think before you click. According to the Cybersecurity and Infrastructure Security Agency, 90% of successful cyber attacks start with a phishing email. If you receive an email, link or message that says you need to change a password or verify personal information, consider whether that message is coming from bad actors.
Here is more information about how Facebook handles account violations:
- Learn more about how Meta detects account violations
- Facebook's guide for monitoring malicious software
- Facebook's guide for users seeking to regain access to hacked accounts
About Public Investigator
Government corruption. Corporate wrongdoing. Consumer complaints. Medical scams.Public Investigatoris a new initiative of the Milwaukee Journal Sentinel and its sister newsrooms across Wisconsin. Our team wants to hear your tips, chase the leads and uncover the truth. We'll investigate anywhere in Wisconsin. Send your tips to watchdog@journalsentinel.com or call 414-319-9061. You can also submit tips atjsonline.com/tips.
