Hacker News new | past | comments | ask | show | jobs | submit login
Someone has stolen my Instagram account (twitter.com/dannyjhall)
976 points by testloop 25 days ago | hide | past | favorite | 333 comments

I think this is indicative of the biggest problem we have had with social media: there is no legalism here, just "codes of conduct" that companies and users both willfully ignore.

If your handle gets sold by some facebook employee to a rich kid in LA, what recourse do you have? I don't know what laws this would break (maybe some broad definition of fraud? I Am Not A Lawyer) so it's not like this person has a slam dunk legal case...

We have no external arbiters of online interaction, no well-respected third party we can go to to arbitrate. The last defense is the mob, potentially shaming the companies in question into recanting. I've seen it happen on this very website multiple times. But it is not sustainable, it does not scale, and it allows the companies to keep fucking with people who can't make their injustices known.

I think this goes a bit broader than just social media. It really has to do with the concept of ownership of words/handles/subdomains on third-party systems.

Who owns a twitter handle? Who owns an Instagram account handle? Do people with trademarks have a right to their trademark on a third-party system?

I work at AWS. Some of our services allow you to customize subdomains (AWS SSO, as an example). There have been customers (typically large enterprises) that assert they should have rights to a specific subdomain within AWS. These subdomains typically relate to their business name or various trademarks.

Should these customers have rights to these names? If I'm a small business (or perhaps an individual) and reserve companyxyz.amazonapps.com, should a company have recourse to take that away from me?

It's a question that hasn't really been collectively answered within the digital space. And until this question is answered, there are going to continue to be issues.

Precisely what I was going to link this to: the early (and now, TLD-expansion) domain name ownership mess.

The US (and seemingly other countries) trademark system is woefully underspecified for the modern world. Among other issues:

- Enforcement, given an exponential explosion of user-created public content with increasingly sophisticated tools

- 1:1 design & physical matter copying

- Likeness-intended / indistinguishable deepfakes

Trademark skated by on "Would it confuse potential customers?" for decades, but we're at a place where that's no longer sufficiently precise.

There's also the international issue. Different countries can have conflicting trademarks. So if you've got a valid trademark for "ACME, inc" from the US, and someone else has a valid trademark for "ACME, inc" from the UK, who gets the ACME domain/TLD/subdomain/twitter handle/etc? Both can get legal judgements in their respective countries!

Forget about international, within a single country you can have identical trademarks in different areas of business [1]. That's why I think we're stuck with first-come, first-served as the only fair way to allocate shared namespaces. I'm pretty sure there was an Apple Ford on the main street in my hometown -- if they get "@apple" first on the next hot social media service, why should anybody be able to take it away from them?

1: https://en.wikipedia.org/wiki/Apple_Corps_v_Apple_Computer

I'd say if you only own "ACME, Inc" in the US (UK), you only get to register acme.co.us (.co.uk). In this case, when no company owns an international ACME trademark, there should be a body that maintains acme.com as a simple text-only disambiguation page showing you links to each ACME, Inc with a description in the respective country's official language(s). I am nearly certain there is already a discussion buried at the end of some RFC about exactly this problem and proposed solutions, which weren't implemented because the good-enough solution was way cheaper than adding trademark disambiguation to the assigned names system.

If the new owner is imposter trying to be the old owner, it would be identity theft and fraud. If it's just giving the handle to someone else there is nothing. If you don't pay for a account, you don't usually own it unless there is something I'm missing.

If you want to own your identity in the internet, get a website you own and don't rely on shady social-media networks that give you something free.

It's remarkably hard to actually "own" anything on the internet. The act of paying for something or not does not dictate what's your property - ASNs are leased, IPs are leased, domains are leased, connections are leased and you'll need to either pay or use someone else's to host something on the internet. The closest you could come is legacy IPv4 space and not rely on traditional infrastructure such as DNS.

Most registrars have decent trademark policies but again it's the internet. Just because you have a trademark in your country doesn't mean someone else doesn't elsewhere or that the registrar is going to care 5 years from now when the ToS change on renewal.

If you want to be securely verifiable on the internet you're better off being searchable and signing your content. The hard part is finding people that care enough to verify who you are in a decentralized manner for that to matter though.

Interestingly you can "own" an Onion address for a Tor hidden service quite easily. You know the private key and nobody else does, so nobody can take your address away from you.

Yeah .onion addresses fall into the bucket of signing things (which works) and trying to get people to care enough to use it (which usually doesn't outside of extreme niches).

An interesting note on Onion addresses though is the top supercomputer is already at the level to be able to brute force collisions for any onion address in a little over a decade. I expect within about 10 years when this becomes a more imminent problem names will become longer.

If it's known that you are the owner a court can theoretically take it away from you. (Or at least jail you if you don't hand it over.)


That's the same level of ownership that you have over anything physical, which is the level of ownership that the comment I was replying to was saying is hard to achieve on the Internet.

Just because a fee is due annually doesn't mean you don't "own" whatever it is that you "lease".

In the real world, you still have to pay taxes and HOA fees on real estate property that you own; plus, have to put up (or finance) a huge deposit in order to "own" it. Same goes for any other large property like cars.

You're talking about trademarks, but trademarks themselves often require renewal every 10 years, where you have to continue paying a renewal fee in order to continue to "own" it.

The question of ownership comes down to whether you have a right to that renewal. As long as you keep paying the fee, you have a right to continue using that trademark, unless legal action is taken to challenge it.

Can you say that about your Twitter handle? Do you have a legal right to keep using that Twitter account, and if Twitter tries to give the account to someone else, can you get an injunction preventing them from doing so? (Now, same question but for your FB, Instagram, email, domain name, etc etc.)

I wonder how Let's Encrypt and other certificate authorities handle disputes over domain transfers?

A DV (domain validation) certificate shows the content came from the person in control of the domain (i.e. can change DNS records or change the server content) not that the person in control of the domain is "who it should be". With that in mind the person who can show current control is able to generate new certificates and issue revocations for old ones.

OV (Organization Validation) and EV (Extended Validation) certificates get into the "is it who they say to be" but Let's Encrypt won't issue those. What all getting validated entails is a bit more in depth for each of these and so is the revocation.

The ultimate protection in cases like domain transfers is limited lifetimes though. Gone are the days where the last guy likely had a 2+ year cert for the domain. Let's Encrypt is 90 days max and it's increasingly hard to get even 1 year from traditional players.

Platforms charging $1/year for a social media account seems like a reasonable solution to a number of problems.

That's really not a bad idea like you own a domain you own your federated account on a Platform, you can self host it or put it into their cloud (costs 1$/mtn)...yes yes i know mastodon or diaspora but facebook and twitter should be forced to go a "federated" way, with that they could rip out most if not all of their problems they actually have, and you have all the rights you want (if you host it).

Interestingly, this is the same issue we're seeing in the Senate: in the void where formal rules of procedure should ecist, we're left with 'traditions' built entirely on the shaky premise that everyone is acting in good faith.

No matter who did the take-over, whether it's a Facebook employee or not, it would likely fall under a wire fraud.

This is most definitely against Facebook's internal policies. Therefore, the employee "exceeded access rights" on a protected computer system, by doing something they clearly were not allowed to do. That is a violation of the CFAA (Computer Fraud and Abuse Act), which is a federal felony. Further, the person that actually has possession of the account is likely guilty of either bribery or "honest services fraud" [1] for inducing an employee to break the law in exchange for money or other enticements.

[1] https://werksmanjackson.com/blog/what-is-honest-services-fra...

The term 'legalism' probably isn't what you're looking for here. I think 'Law' would be better suited.

The biggest problem is that a lot of these companies no longer have support for the average users, so, you simply have no way to escalate the issue, other than Hacker News or the like.

It's this support-through-Hacker-News phenomenon that must be addressed. One CDN is especially notable for doing this -- they may delete your site w/o an explanation, and then if it blows up, their CEO or CTO comes here to say not to worry, that you can always contact him directly here through HN or the special email. What if you don't have or don't know HN? We never get any follow-ups or postmortems for these incidents, either; with the companies brushing the whole incident as a private matter, never respecting the wishes of the user to share the details publicly, never sharing the details with the user itself, either.

P.S. Looks like Danny Hall got the account restored a few hours ago with all the pics; but he didn't seem to have received any explanation, either; probably never will.

You’re assuming the attacker was telling the truth about “knowing someone” at Facebook. More likely they figured out how to bypass 2FA (e.g. sim swap, socially engineered a customer service account recovery workflow, etc.)

Yes, that's the simplest explanation. Not that Instagram is above giving an existing nobody's account to a VIP, but they're not going to do that without wiping its content, and notifying the nobody first.

> notifying the nobody first

They certainly never do this. SOP is just to swap the existing account to a different name.

Hey, I knew you on IRC a long time ago. You hooked me up with some SuperVPN proxies that worked for a few years. I left the scene about the same time because of YUI's arrest- I wanted to say thanks. I've been thinking about HTP and co a lot recently, because of my work. Also want to thank you for pwning r000t.

Whoa, a blast from the past. I vaguely remember you. Wonder what YUI & co are up to these days

I don't think the "theft" of the username would break any kind of law, as this was a company decision (since it done by an employee) and the username was never your property anyway. I'm assuming that employee definitely violated some internal policies, but nothing from a legal point of view.

The only recourse I can see from a legal point of view is that they seem to have handed over the entire account (as the followers seem to have been carried over), which contains private data including DMs, stories, archives of deleted pictures, etc. Given that the original owner of the account is based in the UK, GDPR should apply. I wonder if people he talked to via DMs (as well as those with private accounts who granted his account access) would also have a case, since Facebook's actions have disclosed private conversations & contents of private accounts) to an unauthorized person.

I don't have a Twitter account but if someone could suggest this person to complain to their local data protection regulator (the ICO in case of the UK) that would be great.

I think the OP's point was that there _should_ be a law, and that the current legislative framework is insufficient.

There are plenty of laws that would give rise to remedies in this situation. Contrary to popular belief, tech companies aren't invincible to lawsuits. Neither is the guy operating the stolen account.

The issue isn't whether or not there are theories under tort or contract that would cover remedies here - they would. The issue is whether or not this is something that's economically feasible to get in front of the courts - it's not.

OP is simply ignorant. There are many laws that would make account take-over an illegal activity - it would depend on what exactly the perpetrator did, but wire fraud and criminal conspiracy most likely apply.

If the OP's point is about consumer protection in case of any dispute with online provider, there's maybe a tiny bit of truth, but that's not a criminal law.

If the OP's point is whether there's sufficient enforcement and investigation for account take-over, that would be correct, but it's not clear if the society would be better off spending large resources on investigating those when there are much more serious crimes not being investigated sufficiently and when companies are generally doing reasonable attempts at providing protection.

There is absolutely a legal theory, and that is fraud. If you claim to be someone you are not, and someone relies on your false claim to their detriment, you are liable.

It's likely that Facebook was defrauded here, or that an employee of Facebook breached his employment contract. In either case Facebook would have standing to go after the fraudster/employee, but the account "owner" might not.

My point was whether Facebook itself committed a crime and whether the account holder had any recourse against Facebook. To me it doesn't look like it - the username remains the property of FB and they are free to do anything they want with it.

It might take an open-minded judge to accept this, but attorneys often fall back to common-law negligence when there are no stronger legal theories to rely on.

All the elements of negligence seem to be here, except probably for duty of care. A judge would have to find that Facebook owes a duty of care to its users to protect the integrity of its identities, and that Facebook breached that duty.

I can foresee Facebook and other information service providers fighting vigorously against such a legal conclusion, but maybe it's just the kind of law we need.

If somebody hijacks your account, they get access to all your DMs and other private info. Are you claiming that all that is fb's property, too?

Fraud seems a stretch. Maybe if you used your handle for commerce and someone stole it & attempted to sell the same product.

It doesn’t strike me as litigation you’d be likely to win.

> Maybe if you used your handle for commerce and someone stole it & attempted to sell the same product.

That would be an example -- but certainly not the only imaginable one -- of reliance and detriment, both of which are necessary elements of fraud.

>and the username was never your property anyway

Usernames can be associated to content and brands that have been made on other platforms. I wouldn't be so sure about this.

It's not only the user name. It's the photos, chats, etc.

Of course one should backup the photos outside Instagram or any other service but I have no idea if Instagram allows that. For Whatsapp on Android it's as easy as syncing the pictures folder on the phone to my computer. Then I backup them with all my other files.

I wonder if the justice department would go after somebody who overtook Donald Trump or other high profile official. They might make the case based off national security as the legal rational. But, otherwise I do agree with your point.

Maybe it is against the terms of service? So it'd be a violation of a contractual agreement?

But no money changed hands, so not sure about that.

Contracts don't have to involve money, just something of value on both sides.

And yet, you might find yourself being held legally accountable for what's posted

Do you

A) Trust the competence of the government to understand the nuance of technology to not pass a law that takes into account all of the Nintendo’s consequences. During the dog and pony show when the house had the 4 tech CEOs to testify, one representative asked Zuckerburg about Twitter’s policies.

B) The impartialness of judges, prosecutors and regulators? Trump is now trying to get a law passed because he didn’t like Twitter’s policies. Would judges appointed by the current administration be more likely rule in favor of “Planned Parenthood” or”Black Live Matters” if they both made a claim over @blm?

As far as a third party. I would much rather have an independent non profit set up and FB, Twitter guarantee funding for them over 10 years and they do binding arbitration. They woukd be hopefully better informed.

> I think this is indicative of the biggest problem we have had with social media: there is no legalism here, just "codes of conduct" that companies and users both willfully ignore.

This is a good thing! If Congress is given the task of creating "modern" Internet legislation, they're almost certainly going to fuck it up somehow. We got a taste of this when Orange Man threatened to nuke Section 230.

Lost your Instagram account? Dude, that is nothing. I lost my company in Shit-hole country Estonia and 20k with it.

"I think this is indicative of the biggest problem we have had with social media: there is no legalism here"

I think the concept of law does not go very far in Estonia.

You're gonna have to elaborate on that.

I am an e-resident and I "bought" a company in Estonia from another company in Estonia, owned by a Russian scamster. Both companies do exist and are in "good standing".

Estonian authorities don't care about criminal activities, wire fraud or money laundering. In fact, I wasn't even able to get a case number or in most cases even an answer. So this guy is selling the same company over and over again. Not a bad business for him.

In the end, if you think about it, this may be the whole idea of the eResidency. It has become very difficult for companies held by eResidents to open any bank account in Estonia since banks are smarter and are afraid to be cut off from international money transfers. Most of these companies therefore hold bank accounts in other EU countries. Mostly new online banks.

Regarding the Estonian law enforcement, why should they care? It is hard to explain something to a man if his salary depends on not understanding it. And in the end all these companies bring in revenue.

All leads will point you to cybercrime [AT ] politsei.ee From dozens of emails I never received any reply. It seems not to be monitored. Funny.

Have you detailed this online someone (eg lengthy blog post) or similar?

If no, please do so and point people at it. There isn't much/any info about this kind of problem with eResidency companies. Getting the info to be widely known will help in getting it addressed. At least for the next people. :/

Why the downvote?

Because it's unrelated to the topic at hand? If what you say is true then it's interesting but that's not really the place to discuss it.

We were talking about there is no "legalism" and accountability in this thread. (Kapura)

I’m pretty sure PlugWalkJoe is behind this. Someone here mentioned the “dead” account on IG and I remembered, for some reason, Krebs talking about that in his article about the Twitter crypto attack. Either this was a SIM swap or someone in that group has gotten access to IG internal tools just like they did Twitter. I’ve Tweeted @dannyjhall about this.

PlugWalkJoe owns “dead” on IG: https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...

Danny’s new account follows “dead” and two other “OG” accounts: https://news.ycombinator.com/item?id=24608990

There's no evidence to back the user's claims. This sounds like "Hey my dad works at Xbox and will ban you". There are other ways to compromise an Instagram account, like sim swapping (https://krebsonsecurity.com/2018/05/t-mobile-employee-made-u...)

An interesting aspect to this story is that although there's no real evidence that a Facebook employee was involved, it still seems like a believable explanation to many readers including many commenters here. If a company's customer support is so bad that no one can tell the difference between being hacked and being abused by a rogue employee, does it actually matter what happened? I guess that it matters to the original poster, and I do hope that they do get their photos / account back, but in either case the message the message I'm taking away from the story same: your Facebook account could disappear tomorrow and you'd have no recourse.

Users here will believe any conspiracy theory so that's not really a high bar. I'm serious. There was that massive 2000 comment thread the other month about some big company doing something evil and then it turned out they didn't do it.

Everyone who was right and informed in the original thread was greyed out by users here.

It's not conspiracy theories, it's any story about a big company doing something bad or evil. Or any story that confirms the worldview of the most active HN commenters.

Any story about Facebook, Instagram, Twitter, Google, Uber, or PayPal doing anything negative tends to bring out the most cynical commenters. HN is usually a skeptical crowd, right until a story arrives that fits their worldview.

The false story about Apple's refund policy that garnered 2000 upvotes before being retracted is a prime example ( https://news.ycombinator.com/item?id=23987584 ). When it was in the #1 spot, several people tried to correct the story in the comments. They were heavily downvoted. For some reason, the majority wanted to believe a random Twitter comment over actual iOS app developers trying to correct the misinformation.

Likewise, stories about psychedelics being miracle cures tend to rocket up the front page despite deeply flawed studies (no control group, usually). Meanwhile any study showing negative effects from psychedelics or cannabis tends to get picked apart for for small sample sizes or the evergreen "correlation is not causation" no matter how good the study was.

The real problem is assuming that HN is somehow immune from the same problems as other social media platforms. HN is very much a social media platform.

> It's not conspiracy theories, it's any story about a big company doing something bad or evil. Or any story that confirms the worldview of the most active HN commenters.

> Any story about Facebook, Instagram, Twitter, Google, Uber, or PayPal doing anything negative tends to bring out the most cynical commenters. HN is usually a skeptical crowd, right until a story arrives that fits their worldview.

It's these companies that are cynical, not my worldview!

Nearly every single allegation about these companies doing something sneaky, evil, greedy, and underhanded has turned out be completely true.

When Uber was doing grey-balling, it turned out to be true. When Uber had made a secret agreement with Apple to have their app take screenshots in the background, that was true. Just off of the top of my head I can think of so many preposterous sounding incidents that turned out to be 100% true.

I would assert that people were completely correct to just assume that Apple was doing something shady with the app store. I think it is kind of naive to give Apple the benefit of the doubt at this point.

Absolutely. Being wrong in practise doesn’t matter at all as long as you’re right in principle.

Haha all too true. I say this as a user of psychedelics.

In any case, just for posterity, the actual event may well have happened, I'm just commenting on whether "HN believes it" has any impact on the truth of whether it happened or whether that company's reputation is shot.

To be fair in that situation, despite the fact that it turned out that Apple didn't actually do the thing in question, it was explicitly in their developer agreement that they were entitled to.

Something is less of a "conspiracy theory" when there is explicit evidence written down in a contract that supports it.

It's not only a conspiracy theory. If you hear about the bully at school stealing someone's lunch, you would be inclined to believe it's true, even though you were not there at the time.

Plenty of abuse and mismanagement from these companies have affected a lot of people, to different degrees, and that sets a precedent over which we all subjectively evaluate their actions.

Just last month I had a Twitter account for a side gig banned for absolutely no reason and with zero explanation. I am more inclined to believe the "rich kid from LA" story than the "hack"/"sim swapping" whatever nonsense. Why? Because I see it happening all the time, everywhere.

For anyone who missed it, here’s the original thread that made the false claim on Twitter that Apple keeps it 30% cut when a customer requests a refund: https://news.ycombinator.com/item?id=23987584

Here’s the follow up retraction: https://news.ycombinator.com/item?id=23995750

Maybe that’s because 90% of the time it turns out the company did do it?

I’d be interested in knowing what thread that was though.

It seems like most of the high-profile examples lately have either been false or misleading.

Just to check, I looked at all posts with over 1000 points in the past couple of months where a big tech company is accused of doing something "evil" to the little guy. They are:


1. Tell HN: Never search for domains on Godaddy.com (1656 points) - https://news.ycombinator.com/item?id=24506303

The OP accused GoDaddy of registering a domain for itself after the OP had added it to their cart. It turns out that many people were searching for the same search terms and someone else just happened to register it via GoDaddy on the same day.



2. Google is apparently taking down all/most Fediverse apps from the Play Store (1313 points) - https://news.ycombinator.com/item?id=24304275

The OP implied that Google was banning all Fediverse apps with no recourse for the developers. But it turned out that Google was asking developers to block logins to a set of unmoderated instances that are known to be full of hate speech. Some developers refused, but it seems like most did not, and are doing just fine.




3. When a customer refunds your paid app, Apple refunds its 30% cut [edited] (1243 points) - https://news.ycombinator.com/item?id=23987584

The original title and tweet said that Apple keeps the 30% cut. The author turned out to be misinformed.



> There was that massive 2000 comment thread the other month about some big company doing something evil and then it turned out they didn't do it.

Can you link to this? Not trying to be meta, I just don't believe random claims on the internet without any evidence.

I just posted links as a sibling comment to yours although none of the links contain a 2000 comment thread.

My anecdata says that HN users are among the least likely on social media to believe conspiracy theories. They actually tend to err on the side of skepticism. It's very common to see someone say, "Yes, this could be malice, but it could also be incompetence."

I think this is partly because so many of us have worked in (or with) the targets of most conspiracy theories: government and large corporations.

I think HN users are convinced in their immunity to various things: propaganda, conspiracy theories, advertising. I also think HN users are very good at coming up with reasons for why this might be the case.

There is some evidence of some kind of takeover though. Searching for site:http://instagram.com/danny in google, the first result is the following:

    Danny (@danny) • Instagram photos and videos
    www.instagram.com › danny
    8690 Followers, 134 Following, 100 Posts - See Instagram 
    photos and videos from Danny (@danny)

This is still in Google's cache. The current instagram profile is very different.

That’s...not evidence of a facebook employee being implicated. It’s actually not even evidence that the account even swapped hands!

The victim is a real person with a PhD thesis that anyone can read.

Why would someone jeopardize his reputation by using his real name on some kind of staging of a fake account swap? I kindly disagree with your second sentence.

> It’s actually not even evidence that the account even swapped hands!

Do you honestly believe a jury of average people would agree with this proposition? It seems contrary to common sense.

Keep in mind that there is a significant difference between what meets the relevancy bar in court, and what is logically probative. See, e.g., https://www.law.cornell.edu/rules/fre/rule_401

> That’s...not evidence of a facebook employee being implicated.

The account messaged and said a facebook employee was involved. It isn't proof, it isn't strong evidence, but it is evidence and an implication that a facebook employee was involved.

> It’s actually not even evidence that the account even swapped hands!

Similarly the change in account usage pattern isn't proof but it is evidence.

It's believable though. The culture around "OG" accounts really is that weird.

It's easy enough for a Facebook policy team to confirm this one way or the other by looking at the logs. If this gets enough visibility I assume that will happen.

This reminds me of the federal indictment against consultants bribing amazon employees.

If Instagram account takeover favors can occur, how much do they cost?

It can be incredibly difficult to get that traction - I know Patrick Grey of Risky Business has mentioned in passing that he's occasionally helped local-to-him small businesses who have been locked out of their Instagram accounts, because it's basically impossible to get assistance except through well-connected folks.

It's easy, but remember that it is not a policy team who will decide what to say publicly, but PR team, which in Facebook's case has a sociopathic/capitalist culture of putting profits above everything, and so they will decide whether confirming it in either way will generate more negative news about that event than leaving it ambiguous.

Here's a screencap of Philip Kaplan's newsletter from 2017 where he claims a friend at Instagram helped him get @DistroKid, which was registered but inactive:


That's not necessarily evidence of rogue employees being able to steal accounts for their friends. That may just mean that they had a friend at Instagram that helped them trigger the official process to delete an inactive account and give the name to someone who plans to use it.

In practice, it's the same thing: you have no way to know that this is not what happened to @danny, the consequences are the same.

It's unlikely that this is what happened to @danny, unless their account was inactive.

Similarly, I "took over" https://github.com/tasuki by simply messaging the customer support. They said it wasn't being used and I could have it.

The difference is that this is a documented GitHub policy [0]. I’ve done the same for a handle that didn’t have any activity in its entire history. AFAIK neither Instagram nor Twitter have similar policies (though I somewhat wish they did).

[0] https://docs.github.com/en/free-pro-team@latest/github/site-...

The author's girlfriend had to re-follow the account, which implies the original followers were replaced with Danny's.

In the new Danny's screenshot, it shows that he's followed by three other "OG" account names: "blood", "murder", and "dead". Furthermore, the screenshot was taken from another account, otherwise it would have shown as "This account is private" (Try viewing your own Instagram profile while logged in and private). Whoever was viewing it was therefore friends with Danny, 'blood', 'dead', and 'murder'. In other words, someone interested in OG accounts, or one of new Danny's alternate accounts.

Finally, it would be truly bizarre if new Danny immediately implicated a friend at Facebook before anyone asked him how he got the account. If this was true, I would suspect new Danny would be going to great lengths to hide the fact, rather than trying to hand the excuse out before anyone even asks. This guy just stole someone's Instagram account. He's hardly a credible source.

I wouldn't rush to conclude that a Facebook employee did this. It sounds like the kind of excuse someone would give to pretend to be coming from a position of internal power rather than appearing to be the result of a hack.

It doesn't surprise me at all, actually. These idiots brag about this to friends constantly and try to make new connections inside the companies to exploit. I have a very short Twitter that people try to take over constantly, and by virtue of being on the platform early, I've accrued a few "OG" accounts for various projects or whatever. When someone stole one of my accounts that I didn't use anymore by having their friend take it over, I had my friend look into it and they reversed it.

The account jacking idiot then messaged me trying to get me to put them in touch with my friend so they could try to help them get other accounts and bragged about how he was just going to take some of my other accounts that he somehow knew belonged to me despite there being no link to one another outside of what would be Twitter-internal data. It was the most brazenly ridiculous thing I've ever encountered, but I'm assuming it's an ignorant kid who doesn't realize the possible consequences or a really dumb adult.

So, I can totally believe the idiot would just blurt out how he got it because that gives him clout amongst his miscreant "OG account" friends.

I assume there is no evidence except an account full of pictures of the guy?

Maybe the employee claim is wrong, who knows, but determining who owns the account should be trivial. And frankly, given what we know about how the Twitter "hack" went down (rate limits? sign offs? resetting 2FA? impersonating accounts?!) it is fully believable.

Well the difference between "hey my dad works at Xbox and will ban you" and this is this is now past tense. So it would be a case of you getting banned on Xbox and someone going "Yea that was my dad".

If that was the case why would FB be marking the issue as resolved?

Kinda depends on the specifics of the issue. "I can't login." Send password reset, new account owner says thanks, all good. Resolved.

Because the process for that is automated. It sends you an email to see if you own the account and then asks people on your friends list to verify.

That's how it works on Facebook.

So if you have full control, you will pass these tests.

It's possible that the new owner is notified when an issue is submitted and is able to mark the issue as resolved, or IG notes that someone is using the account and assumes there is no longer a problem.

I don't know, but it sounds like the issue was resolved (correctly or incorrectly) the first time, so the user started filing a ton of issues, which were automatically marked as duplicate. Now he's spamming the white hat security form (https://twitter.com/dannyjhall/status/1310231761444581385), which is not likely to get him a response.

“Spamming?” If repeated complaints about an issue the company won’t resolve is what we call spam now, I’m speechless.

Spamming the white hat security bug program won't get him an answer, because he's not reporting a security flaw.


I don't understand how he is 'spamming'.

He is a “free” user, what duty does Facebook owe him?

Ah yes sure you don’t pay Google a dime, so don’t you worry if you lose your account tomorrow, it’s not like anything is owed to you. Say bye to verroq@gmail.com

Not sure what your point is because that’s happened to people and they have no recourse.

That being the status quo doesn’t make it acceptable?

Are we talking legal duty or “not being an asshole” duty? I’d argue it’s at least the latter, where the case should be pretty clear.

Because there's no proof of any malicious activity. It could very well be that the guy Tweeting is trying to take over the account.

That could be completely made up. He could just be saying this to stir outrage at facebook and that’s why the tickets are being closed.

There’s really no evidence of anything at all.

Then we would like an answer from FB about what occurred. The handwaving away about "nothing to see here" up and down this thread isn't a satisfactory resolution to the issue at hand. Someone alleges their IG was stolen and they allege that FB is batting away tickets about the issue. It would be nice to see FB respond to this. The urgency is compounded by the fact that Amazon had it's own little insider's ring of people providing "extra" services to people for a price.

That depends if the Authenticator was used or normal SMS messages.

You can 2FA on twitter with the Authenticator app. There is no indication that OP was using SMS 2FA, and you would suspect that they would have mentioned that their phone stopped working if in fact they were sim swapped. I agree there is no proof it was an inside job but it seems plausible.

I think he would have noticed if his phone network was dead by now.

Agreed. Is anyone really going to risk their cushy FAANG job to give their buddy a cool handle? Possible, but seems far fetched.

I have seen this happen firsthand on several occasions at several companies, and it’s a well documented risk vector. You see it for things like username takeovers, and also ad account reactivations.

Typically it is not the people with cushy jobs, but those working for vendor companies (moderation, customer support, etc) who have little investment in the company, are barely making minimum wage, and are more than happy to flip a few switches in the dashboard for a few thousand (or less).

People with positions of power are regularly found to take bribes that wouldn't even be a 1/10th of their normal paycheck. Power tripping is a recognized phenomenon, and greed makes people do irrational things sometimes.

The lower-level jobs aren't as "cushy"; I don't see an engineer doing this but I can definitely see a junior in a lower-level customer service or similar administrative role do this.

You cannot imagine how many times I have caught red handed, people with that mentality "screw the policy, my friend needs a loan/credit card/etc". A a bank can and will drag you to court and rip you a new one. That said, not all banks are scummy to create cards/loans to clients without their knowing. Some actually play by the book.

Anyway, yes some people think that because they are good enough at what they do, they will be given a pass when caught. Unbeknownst to them, if any auditors catch them, then the "jokers" can start updating their CV.

> Is anyone really going to risk their cushy FAANG job to give their buddy a cool handle? Possible, but seems far fetched.

Given the kind of ethically vacuous tech-bro who might join FB in 2020? Not _that_ far-fetched.

Ethically vacuous doesn't mean stupid though, and I doubt they will jeopardize a lucrative career for a quick buck or bragging rights in front of their friends.

People do this all of the time, and there is nothing about jumping through Facebook interview hoops that prevents people from making immoral decisions for personal gain once they're an employee.

You might even argue that joining Facebook is an example of "making an immoral decision for personal gain", therefore any Facebook employee has track record at that.

Except if they're sure they won't be caught.

Isn't that how actual crime works?

I doubt the low level customer service is a cushy FAANG job. Probably all contractors as well.

I'm like 90% sure there was an article about Shopify employees stealing customer data just recently. Not FAANG, granted, but it's still a traditional way of data leaking or accounts being stolen. Inside jobs aren't exactly a rarity.

[0]: https://community.shopify.com/c/Shopify-Discussion/Incident-...

Yup, here it is, just five days ago.

People made a lot more stupid things for less

This happened a while back to Brian Hoff’s wife, he was able to eventually get it back: https://medium.com/@behoff/they-say-nothing-will-change-5c54...

Oh, man. I was skeptical about OP's Facebook employee hack thing at first, but then I read this medium write up. Not good.

This is a very common thing. In fact influencers and FB employees publicly and loudly talk about this method and no one stops them. "Hey I'm visiting fb headquarters anyone want a new @ or a checkmark?" Why do random fb employees even have this capability?

Just because some vacuous air bag says it, doesn't make it true.

Instagram is basically the school playground, but sadly unlike in real life, people can make a career from being "playground" popular.

> vacuous air bag

Colloquialism: 100% understood.

Reality: 0% possible...unless this 'air bag' is full of 'empty'.

In other news, always be careful breaking the neck of a CRT...you'll let the vacuum out!

"Vacuous" doesn't mean vacuum: https://en.wiktionary.org/wiki/vacuous

> Why do random fb employees even have this capability?

Assuming that's what happened here, its because to them it is pure coincidence that the market values these database entries at all.

Like sure, at this point they know it means a lot to people and inspires many other people and can effect entire markets that they are unaware of, but from their perspective it isn't "god mode" its "lol ok, wanna hit up sushi for lunch later?"

Didn't a similar thing happen with a famous Soccer player?

Yes. Instagram’s explanation was they thought the account was an impersonator of Andrés Iniesta and disabled it/gave it away.

Usually if Instagram wants your account they add underscores to the original handle like they did with @sussexroyal.

And this is why I’ll never use Facebook or Instagram again. I can’t even begin to imagine and angst the OP is going through right now. Imagine if it was your business? My sister uses Instagram exclusively to market and promote her beauty salon business. I can only imagine what her reaction would be if something like this happened to her (really my only reference). Letting people have access to data let’s people manipulate that data. Whether this was an insider giving his friend the account or it was hacked and taken over, it doesn’t matter how, things like the OP’s situation should NEVER exist.

Basically, you can't trump physical access...


This is not Wikipedia

I live with a FB employee. Most of my close friends are FB employees. I've literally never heard this.

Well, thank God for that, because with that kind of authoritative observation we can close the books on this one permanently. Dodged a bullet there, didn’t we? Pitchforks down, everyone, ‘mrits has this one in hand.

This is an extremely well-known phenomenon. This is the third time I’ve heard of it happening to an OG. It’s pretty common knowledge that the right teams inside Instagram look the other way; what’s a user going to do, sue? People are making money.

I’m sure your roommate who works on Tupperware or whatever wouldn’t know a thing about it, but Facebook is also roughly the size of Romania, so perhaps your front row seat to the inner workings of an organization that also legally compels your roommate to not tell you things isn’t as end all as you’d assume.

Hint: I work at Facebook.

It's not an extremely well known phenomenon at all. Asserting things while being overly emotional and aggressive isn't evidence.

So: Citation needed.

So are you asking for screenshots from my email of the thread where everyone came together to agree on the terms and execution of the conspiracy, or?

Also, sarcasm isn’t an emotion. I’m English, so perhaps consider that my culture of challenging someone is different from yours before projecting whatever big bad horrible emotional troll hurt your feelings once. Facebook is literally more employees than even populate this dreadful site, but someone says “my roommate’s brother’s uncle by blood works there and I’ve never heard of it so it’s plainly false” and we’re all to just fawn over the precious insight?

I’m sorry, I’ll try again: thanks, ‘mrats. Very brave.

[Rhetorically expresses curiosity at what those terms might have looked like, broadly speaking]

Not the obvious, like "everyone's going to look the other way", but more like... target account upper watermarks, "motivation threshold" (ahem), internal tracking (if any), collective opinion on precedent, etc.

Oh, and scale.

In your estimation, what percentage of Facebook employees know about such extremely well known schemes?

I think this thread firmly establishes the range of such a proportion, but we’ll need the n of ‘mrits social network to arrive at a number. It’s somewhere between “they know a few people” and “their entire waking life is surrounded by Facebook employees” (poor soul) which also bounds our calculations.

This is openly discussed with bemusement on my non-Instagram team is what I can say.

Yes and I work remotely at AWS and I never hear the FC workers talking about working conditions....

All of the Big tech companies are so large and have their hands in so many pots, that working at a company as the equivalent of an L5/L6 that you are out of the loop about most things that go on.

I had this happen to one of my accounts, it got taken over by someone, I don’t know how, but I moved heaven and earth to reach someone at Instagram to no avail. It confirmed in my mind that the employees of Facebook and Instagram could not care less about any of us unless we are making the money.

Well, duh? Does any company care about people who aren’t carrying the bags of money?

As far as I’ve seen - companies only care about the whales because any other mentality is a money losing one.

It's sad and upsetting, but when will people learn that Facebook, Google et al do not care at all about individual users? Their model simply does not factor in the worries of a single user.

(Worse is how they want to propagate the idea that software should be free and of highest quality, thus preventing any communal attempts at creating different models.)

I advice everyone who has an account to at least download their data to keep a copy of it: https://www.facebook.com/help/1701730696756992

> when will people learn that Facebook, Google et al do not care at all about individual users?

When will people learn, not just Facebook, Google et al, but no large company cares about individual users? Coca-Cola, Delta Air Lines, Ford, Unilever, Visa, Walmart do not care about individual users.

Not because all of them are bad, but simply because they physically cannot deal with every complaint. Even worse, when they become better at handling complaints, people start complaining more. So they focus on some more important complaints, and some users get thrown overboard. This is sad, but this is inevitable.

That said, it would be great to have a paid technical support. You have lost an access to Google account (hacked, lost password, not logged in for two years, whatever), pay $100-1000 (if it's really valuable to you), and a special qualified person will do a proper background check (e. g. call your employer) to verify that you is really someone who you claim to be.

It's a little difference with Facebook and Google, because unlike the other companies you mentioned, users are not the customers of Facebook and Google -- advertisers are. There is very little incentive to make their users happy when their users are not paying for the service.

> It's a little difference with Facebook and Google, because unlike the other companies you mentioned, users are not the customers of Facebook and Google -- advertisers are.

This is so tiring.

Also, I've been paying Google real money for half a decade or so, so I am definitely their customer.

That said I'm well aware that that doesn't seem to mean anything in Google land and I might be thrown out for anything tomorrow with no explanation and no way to get my account back except complaining in social media.

It's still true on an institutional level, though.

Paying customers at Google are pin money, AdSense is bread and butter.

If there's a conflict, AdSense wins, period. There's a firmly entrenched culture where user accounts are a cost center, to be managed "at scale", that carries over to paying accounts. That attitude shouldn't carry over, of course; nonetheless, it does, as you recognize in your last paragraph.

> There is very little incentive to make their users happy when their users are not paying for the service

This is plainly obviously wrong.

When users are not happy, they leave the service, and advertizers stop paying.

Even more, companies are much more afraid to lose users than to lose advertizers. Companies can live years without advertizers (by borrowing money for example or by burning reserves), but if a company lost it's users, the company is finished.

Yes, in some way. But sole complaints are simply not hurting FB. How many of the people complaining would've used Instagram otherwise or even go as far as closing their account? I doubt the can even zoom in their Dashboard far enough to see the impact.

The real problem here is that for a single account, you're far more dependent on Instagram than Instagram is on you.

> you're far more dependent on Instagram than Instagram is on you

Same way, if you have a Ford car, you depend on Ford much more than Ford on you.

> But sole complaints are simply not hurting FB.

Same as complaints on bad Ford service don't really hurt Ford.

Anyway, that has nothing to do with the fact that users of Facebook are not paying Facebook.

> There is very little incentive to make their users happy when their users are not paying for the service

This quote [typo] is very incorrect. I'm not going to argue that Facebook/Google support is good or bad, I'm just pointing out this statement is false.

> Same way, if you have a Ford car, you depend on Ford much more than Ford on you.

But the latter is contractually obligated to help you to some extend due to warranty etc.. Also, Ford has far less lock-in than Instagram.

> > There is very little incentive to make their users happy when their users are not paying for the service > > This quite is very incorrect.

I'm not disagreeing with you here; I'm disagreeing with your point that users are (far) more important than advertisers. Single-user complaints or unhappiness tends to be ignored, I doubt the same is true for advertisers. The recent Reddit changes, for example, show this very clearly (to be fair: I don't have an FB-example as I don't follow it in any way).

That actually isn’t true now that Oculus is requiring Facebook login.

Something like that does exist for Google account access problems - you can pay a few dollars (which also ties you to a presumably-authenticated credit card, and so helps authenticate you to Google) for an expedited response.

Never heard of it. Can you share some link please?

It's a part of Google one, no idea how good it is though.

When will people learn that capitalism literally doesn't give a shit about people.

Capitalism is an economic and political system.

An economic and political system technically literally cannot care about people, same way as temperature, gravity, philosophy or history cannot care about people.

This is an extremely reductive. Temperature or gravity are not composed of people, who have the ability to make change within the system they comprise.

Let me rephrase.

Too high or too low temperature environment can hurt people. People with a soldeing iron can hurt people. People putting other people in the fridge can hurt people. Just temperature is not something which can do anything to anyone.

Capitalist companies, people living in capitalism, governments under capitalism, taxes and so on may be good or bad for people.

But saying "capitalism does not give a shit about people" is just literally nonsense. Of course it doesn't because an economic and political system is not an actor.

I could infer from the original comment that all actors under capitalism "do not give a shit", but that's obviously untrue. For example, wikipedia lives under capitalism and benefits from the capitalist system, and obiously it is good for people.

I could assume that the actor mean very narrow group of actors when they said "capitalism", but I won't because I will likely be wrong about understanding what the author really wanted to say (rich people? all people? large corporations? any corporations? including non-profits? and so on). It would be better if the author added some clarity to their comments. Would be better if the author said what exactly they wanted to say without throwing literally meaningless socialist slogans.

Well, socialism (in its original form, not USSR-style "socialism") for example is an economic system that, by its definition, cares about people and their wellness. Capitalism, in contrast, is an economic system that, by its definition, doesn't care about people or their wellness. Just like democracy is a political system that cares about the people, whereas monarchy is a political system that doesn't.

If you want to be pedantic, you can say that the proper phrasing would be something like "socialism is an economic system whose defined goals are people's wellness", "capitalism is an economic system whose defined goals have nothing to do with people's wellness (they are profit for the owners of capital, and perhaps innovation)". But "caring for" is obvious shorthand for this.

You can, of course, say that individual actors living under any of these systems may or may not care about the people, and that's true. But the system itself may be designed with or without the people in mind, and different systems fall on different sides of this idea - for better or for worse.

I really don't like these oversimplifications.

It is like saying, railroads don't care about people, railroads are only interested in trains moving fast and reliably.

Or it is like saying, doctors (even under socialism) don't care about people, they only care about getting their salaries.

Smarter people make one step further concluding that fast and reliable trains are beneficial to people, doctors heal sick people, and capitalism generally make people wealthier.

> capitalism is an economic system whose defined goals have nothing to do with people's wellness (they are profit for the owners of capital, and perhaps innovation)"

Adam Smith' first book called "The Wealth of the Nations" not "The Wealth of the Richest People in Power").

I would not go that far to define a "goal" of capitalism. It is just a system of rules and principles, there's no goal in it.

And these rules and principles are profitable for both capital owners (they can grow their capital), and for regular dudes (who can be paid better because market provides them with more opportunities to pick different jobs and higher quality jobs and who can use cheaper good and services).

I'm sorry but this still treats capitalism as some ridgid, immutable force. This is demonstrably untrue. We, today, have capitalism shaped by the will of the people. The degree to which we allow it to be shaped is the actual point of contention, not the malleability itself.

I also find it unfortunate that you'd choose to represent such potential flexibility in the system as "meaningless socialist slogans." That makes it feel like you're not engaging in good faith with the central argument.

> That makes it feel like you're not engaging in good faith with the central argument.

There was no argument besides that socialist slogan.

I could get arguments like:

Large companies are inefficient under capitalism, they provide less value than they take from the society.


Capitalism is a very inefficient system of distribution of goods and services.

But there were none.

The argument is pretty clear to me: without holding corporate feet to the fire, we will suffer to varying degrees by their will.

If that's your definition of socialism, well, I'd argue that you do not actually know what socialism is.

I’ve read somewhere that Facebook even embeds tracking pixels in the HTML of the data export, so keep this in mind if you ever actually look at the exported data.

Would you be kind enough to post more information about this?

Google produces irrelevant results no matter what I try (searching anything about Facebook tracking pixels brings up tons of marketing-related SEO spam) so I suggest someone with a Facebook account just tries it and reports back. Until then, better safe than sorry, assume the worst (which at this point should be the norm when dealing with the company we're talking about) and proceed accordingly.

They don't for standard picture but they do embbed their own metadata



You may be thinking of PhotoDNA which is used for different purposes


I have heard images are also marked

Images on public Facebook are indeed marked (a unique ID is embedded in every picture's EXIF data) so I wouldn't be surprised if the exported ones were too (not necessarily for malicious reason even, if the images are being marked at upload time, Facebook may not even have the original unmarked image anymore).

This reminded me of an article I read a while ago about Instagram employees selling verification... one of the sources mentions they also sell accounts, but the story is mostly about selling verification.


Previously discussed here: https://news.ycombinator.com/item?id=15156790

The arbitrariness with which these companies rule over our digital lives infuriates me more from month to month. We do our best to fight dictators in the physical world but somehow accept them in the digital realm.

While they do have power over users on their platform, they're voluntary applications that people choose to give control to for convenience and publicity. Unlike credit bureaus who actually ruin peoples' lives with their carelessness and you can't even opt out, social media apps are purely opt-in, and you don't get your wages garnished or bank accounts emptied or lose your ability to drive because of them.

And while I hope danny gets his username back, and it's ridiculous what happened, the value of the user account handle that danny had was created by Instagram's efforts. You don't have property rights to it the same way you own actual property or a domain name registered under your name.

>While they do have power over users on their platform, they're voluntary applications that people choose to give control to for convenience and publicity.

It's true a username isn't property, but there are some instances where merely conferring a certain status has such an enormous impact on people's lives that there are certain legal protections around it. Your job, for example.

One could argue that digital identity codes like domains and social media usernames have become similarly important. Entire businesses, extremely profitable ones sometimes, can be tied to a single username.

I’m with you to a degree, but if most anyone’s email account vanished, or worse was stolen, I’d be pretty confident guessing that they’re screwed.

For more typical social media, losing a decade of pictures is pretty harmful. It’s not about the value of the @danny handle, it’s also about the account being gone. And the privacy issues if the new person got all the DMs and private info.

You're right that these things are devastating when they happen, but pre- social media, they happened all the time. Every year, half the people born in [year-21] lose their university email accounts (including their google drive, etc.) and eventually transfer to another email just fine. Before online identity, people lost their phone numbers and had to inform friends that they switched to a new one. You'd get the previous owner's texts, and have to tell them you just got that number. Or if you moved addresses and you would get the previous owner's mail, and the same would happen to you due to postal errors. People lost their pictures because of disk failure, fires, and other means, and would continue living happy and productive lives.

Post- social media, if people are backing up their data, then the problem is pretty much nil (chances that your social media account and your local storage both go kaput at the same time are pretty small).

Of course email isn’t new and neither are phones. Things like 2FA are new, as are other things assuming you still have the phone and email you signed up with. The problem isn’t the thing, it’s the services that rely on the assumption that you still have the thing.

> social media apps are purely opt-in, and you don't get your wages garnished or bank accounts emptied or lose your ability to drive because of them.

... Until you say something verboten, that is.

> they're voluntary applications

...in an unfree economic system (patents and IP give monopolies) with a black box money system (money is an enclosed protocol). Cooperative Open Value Networks are the future. [1]

[1] http://mikorizal.org/

Here's a prediction for the future: This will be the first and last time I hear about "Cooperative Open Value Networks".

Speak for yourself. You might accept them, but I do not. Not being on Facebook has its problem in a society that is mostly on it, but it is possible.

It is a nuisance to the people around you. If they're organizing something and make a FB/VK event for it, someone will have to bother themselves with relaying you all the updates via your preferred communication channels.

We need working federated social media asap.

everyone in the gang is doing it and the party is so much more fun once you took some ...

Talking to your friends specifically and directly is a nuisance?

In this context he's not wrong. Planning a party (for example) might involve a lot of discussion for time, food etc. It's far more complicated to organize this with everyone and find a common demoninator compared to simply putting people in a group, with everyone giving his input when needed.

Yes. Some of my friends have a VK event for their birthday party that they reuse annually. Much more convenient than chatting with everyone individually or making a group chat (but then everyone needs to be using the same IM service so this problem comes up again).

In the end, if you're not on whichever social media service is popular around you, you're missing out.

“It’s murder out there. You can’t even travel around your own microcircuits without permission from Master Control Program.”

— Crom, Tron, 1982

Agreed. Only way to fight back is to quit those platforms.

Well said. There should be really good laws for these companies. Sadly no same bad PR yet received to google/amazon like facebook. The amound of data both collect is enormous.

I've often pondered this. Might be going out on a limb here but tech workers aren't typically the sorts of people espousing the tenets of Fascism. Why is it that the companies they work for invariably end up leaning that way?

I don't believe this is something inherent in Capitalism either. If I had an issue with any other kind of business the experience would be vastly different.

In most other industries there is actual competition so companies benefit by providing exceptional customer service. Due to the winner takes all network effects of social media platforms they can get away with treating individuals poorly since there are not real alternatives. If Instagram was separated from Facebook then both would have an incentive to improve.

You're welcome to start a zine to reach your audience, but nobody owes you a platform they built and pay for.

You can just... stop using their services. I deleted my Reddit and Twitter accounts a year or two ago, and have missed out on absolutely nothing of importance. Digital "life" is totally impoverished.

We can build a better web using p2p architecture/tech. Come join us: https://developer.holochain.org

A friend of mine lost access to his Instagram account that was blocked for impersonating others (he shares the name with a known person). He had no recourse for six months as the form to appeal the decision didn’t work... finally got it fixed in 10 minutes this summer when the form magically worked again

This needs to stop

Danny was deleted a minute or two ago https://www.instagram.com/danny/

I would guess a FB employee is reading the thread

Still there it seems.

It was restored to the original owner, I'm not sure when.

Is this hearsay or is there proof? Aside from @danny saying it was from an fb employee, there’s nothing else to indicate it was, and I wouldn’t trust the word of a hacker/recipient of a hacked account.

I think the biggest 'proof' there is that the twitter account states they haven't received any 2FA requests. Assuming we're taking this as truth then:

1.) Somehow MFA got disabled on the account (or avoided altogether)

2.) Could've got SIM swapped. However this seems rather unlikely, as there are no other reported IoCs which point toward SIM swapping (i.e. can't call or text).

> "I wouldn’t trust the word of a hacker/recipient of a hacked account."

I wouldn't discount it. This isn't some APT that ran a Stuxnet operation. It's someone who allegedly exploited a system to get an og account. The whole reason people want og accounts is because they're a status symbol in some circles.

It's quite likely that someone associated with stealing an og is an immature braggart. So they may do things immature braggarts would do... like talk about their TTP.

Even if the fb employee bit is untrue (I'm also skeptical), it indicates that someone can take over your account like this with no recourse.

Well, no one is taking over my instagram account because I don’t have one, but it does indicate some people are taking over accounts with no recourse.

Well what he should conclude if support doesn't work at all.

Instagram has poor customer support.

Skepticism is warranted but, did everyone forget about a month (?) ago when an insider and "OG username" people did the bitcoin scam on twitter? It's not an unreasonable assumption that this can happen elsewhere.

I lost my facebook account last year after someone copyrighted my own profile photos, I get a strike every time I upload a selfy then my account got shut down, this is slightly different from this story but it show that facebook spend zero effort to fix this issue unless the story blow up, I am political activist in Algeria and the dictator regime there were using some 3rd party companies to copyright activists content on facebook and use it to shutdown their pages

I work at FB and I assure you if an FB employee is involved they'll be fired right away and there'll be a lot records so they cannot escape.

I can understand why someone would need a throwaway to criticise their employer; using one to praise them is a little odd, however.

Maybe they've got other stuff on their main account they don't want their employer to see.

I believe you once he get his account back.

If true, this is despicable and deserves a lot of attention and (maybe) some regulatory response. However, is there a more detailed description instead of a few twits.

It seems from the posted pictures that the account was stolen, but why does the author think that a Facebook employee or a Facebook company is behind it? An honest question.

The tweet author is believing the words of the guy who stole the account.

Which... I mean, reliable sources, right?

I find it strange that the Facebook employee wouldn't just forcibly change OP's username to something else (e.g. @danny123) then give the desired name to their friend. Actually stealing someone's account seems like an over the top and unlikely way to go about this.

I'd assume there would be bots or just someone trying to sign up with that username by random chance, so they didn't want to leave the username available for a moment.

I'd assume there is a proper, transactional (as in database transactions) way to swap usernames like that but the person who did this most likely didn't have access to it (for good reason) and just did an email change + password reset on the original account.

> and just did an email change + password reset on the original account.

But isn't that why the user had 2FA on? Why can someone change the email + switch off 2FA; you would want only 1 of these would you not? If you tell support you lost your email and 2FA, that would be very unlikely, so why would it be so easy to set that up?

Are there immutable logs with credentials for this kind of action and how easy is it for employees to access / change it; I mean why would many people have the permission to take this action? Especially without some kind of flag that there is something up with the account (like unused, flagged content etc).

I'd assume CS has the possibility to disable 2FA or change the phone number it's associated to.

Good reminder that all "your" messages, photos, private data etc never belonged to you. It always belonged to Facebook and they can do whatever they want with it. Including deleting everything on a whim if it pleases them.

How do we change that? We go back to personal websites that you fully own. All of those platforms have been proven to be highly unethical (especially Facebook). Trusting them with all your data has always been a bad move. We need to take back ownership of our platform.

I lost my Insta account a year ago. I have explored all possible ways to fix it. Really all. Was working on it for six months. But Facebook didn't provide any real way to restore the access. Even though I had my phone number verified before. If you don't have good connections or can make a social media storm, it is impossible to get the account back.

But it occurred I was authentic enough to remove my account. Not to regain access but to delete it - yes. Which I did.

It is one of many moments during last year's Facebook gave me the cringy feeling I am not a valuable product for them

It's part of ToS you can lose your account at any time for any reason. And it's their first rule.

And yet, that rule is stupid. But your logic instagram could just give @kyliejenner to some random person, and you think she would have no recourse? You think it would be acceptable for someone at instagram to do Kylie Jenner a personal favor and give her `@kylie`, and the person who currently has it should have no recourse? Kylie is just an example person with a larger following; I'm not implying that this happened, is happening, or she is in any way involved in this practice.

People like to make the claim that "a handle or username has no value" which is just insane. If it had no value, people wouldn't try to steal them.

If the first line of a bank ToS was "you can lose your account at any time for any reason", would you think that is acceptable? No, because money _obviously has value_. Usernames have value, and in some cases, usernames have more value than many people's bank accounts.

"you can lose your account at any time for any reason" is just an excuse to avoid any concept of _public_ user support.

> And yet, that rule is stupid.

Doesn't matter. They can still do it to anyone anyway.

> But your logic instagram could just give @kyliejenner to some random person, and you think she would have no recourse?

Well yes. They (Facebook) own the platform, it's a privately owned company and they can do whatever they like either via the ToS or in general. You don't own your account handle. They reserve the right to terminate your account or disable the handle at any time.

> Well yes.

Strong disagree. If Facebook tried this against anyone with a moderate following there would be a Tortious interference and/or fraud lawsuit filed _immediately_.

When Trump's twitter account was deleted by a rogue employee for all of 10 minutes, Twitter most definitely did not just sit back and say "We reserve the right to terminate your account at any time".

> it's a privately owned company

I know this is going to sound pedantic, but this is wrong. Facebook is a publicly-owned company.

>I know this is going to sound pedantic, but this is wrong. Facebook is a publicly-owned company.

No the original statement was correct, your statement is wrong. If you want to really be pedantic then Facebook is a public company that is privately owned.

A publicly owned company [0] is one that is owned by a government. A public company [1] is one whose shares are traded on a public stock exchange.

[0]: https://en.wikipedia.org/wiki/Public_ownership

[1]: https://en.wikipedia.org/wiki/Public_company

Most people don't have any influence. And that rules don't apply (or at least apply just selectively) to powerful people is no surprise either.

What is the purpose of this comment? It has the appearance of being a defense of an unjust status quo. Is that your intent? Or do you think a "reminder" of the existence and consequences of unjust power structures serves some other, useful purpose? It doesn't, but I'm interested to know your rationale.

I'm just saying that platform's behavior to top users, doesn't say much about what they can or can't do (or are doing) under their ToS to normal people.

Do you think this isn't obvious? Why do you take the time to point it out?

The purpose of the comment seems fairly straightforward and highlights exactly what was originally claimed, that the section of the ToS that claims Instagram can close any account for any reason is only true for people who have no influence or notoriety. It is not true of public and/or influential figures who could have a strong claim against Instagram for arbitrarily deciding to close their account.

That one set of rules apply to people in power and another set of rules apply to the general population is certainly something to take into account.

Do you think that this comment provides new information to literally anybody who is reading it? Given the answer is obviously "no", what do you think the actual effect is? Do you understand that it reads as a defense of the status quo?

It's not my logic. It's in the ToS. They can terminate that account. And what can they do afterwards is unspecified, so presumably they can do anything, except for sharing private data from that account with someone else.

Banks' baseline behavior is ruled by law and national banking regulations, not just some ToS. That's probably why paypal and similar are in no rush to become real banking institutions.

No? Where do you see that?


Allright, looks like ddg returns this for the first result of "tos instagram":



And it's an old ToS. Looks like they softened it up since then. But it was quite unequivocal back then. ;)

I'm thinking even with 2fa there can be a way of ask for support to reset your password, that's probably what happened

Because OF COURSE people set 2fa without getting the recovery codes or using sms (why is that even an option I don't get it)

Edit: some ideas here from a phishing expert https://twitter.com/RachelTobac/status/1310264189861019649

These companies care lot to scale their stack. But nobody gives shit to scale support and handling these kind of issues.

Regardless of the technical aspect if this is possible or not (I like how a random commenter here claiming he’s from Instagram is asking people not to trust a random tweet with a screenshot), I don’t see the problem as some suggested with the lack of regulation in social media. The issue is really in the blind trust people have put in these companies. Losing the username is one thing, but losing access to messages and potential private images on there is the actual pain, maybe not for this guy specifically but fun general. Having your private conversation on these platforms, your entire business or a huge portion of your marketing, or as a main way to “connect” with others is the problem, it’s like leaving your door and windows open for a week and then being surprised that your house got robbed. It might not happen, but it’s a huge risk. The solution is easy: don’t entirely depend on these platforms and don’t store valuable data there.

Reminds me of when Instagram stole some dude's account and just handed it to the "Royals" https://www.instagram.com/sussexroyal/

Poor dude was like a WAU for years and Instagram just went 'nah' and gave it to royals.

Your account isn't yours, it's Instagram's. They don't care about you or your photos or your likes or friends or connections either.

You don't own stuff that you post on the cloud the cloud is just somebody else's computer

Correct. I'm sure we all knew that already. Too a while for non-technical users to realise this.

Unfortunately, via the hard way.

Social media accounts can be worth real money in the right conditions. It might be time to start having some real regulations around these things. If my bank account was hijacked, the bank wouldn't be able to just ignore my pleas. I remember seeing a youtuber who made a living off her account about a year ago get her account hijacked, and it took months to resovle the issue. Youtube didn't really help her at all until it became quite public.

Sadly companies like google, facebook only HN is the way to get resolution. Nobody cares about you. They look into it only when it affects PR.

> companies like

Any company with large number of users. It is not specific to internet companies. If you complain to McDonald's, you don't really expect to a proper investigation of that wrong burger incident.

> If you complain to McDonald's, you don't really expect to a proper investigation of that wrong burger incident.

Apparently McDonald's franchisees take complaints from corporate very seriously, much to the dismay of their often teenaged employees.

Apparently, Google/Facebook contractors take complaints from Google/Facebook very seriously. What's your point?

The claim that "wrong burger incident" won't be investigated by McDonald's is incorrect. McDonald's takes problems like that very seriously.

When you got poisoned and had to go to the hospital, then yes.

If it was ketchup instead of curry, or if they put 8 nuggets instead of 9, I very much doubt so.

> If it was ketchup instead of curry, or if they put 8 nuggets instead of 9, I very much doubt so

Sorry, but I've ordered a specific burger at McD's dozens of times: very occasionally they mess up the order, at this point you take the wrong burger straight back to the counter with your receipt, they (always!) apologise profusely, then immediately make you a new one the way you ordered it.

Sure, but try to send a complaint about that burger using a web form on McD website a week after the incident.

Or try to complain about their phone app not working.

You'll get the same amount of care as internet companies.

> Sure, but try to send a complaint about that burger using a web form on McD website a week after the incident.

There's a phone number you can call and report wrong orders to, and they'll send you coupons for free meals for your effort.

> If it was ketchup instead of curry, or if they put 8 nuggets instead of 9, I very much doubt so.

According to the people I know who worked at McDonald's, wrong orders that are reported to corporate are taken very seriously. Corporate gives the person who reports the errors coupons for free meals.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact