This is the #1 problem with google/facebook/other giant companies - zero due process. They build a business around minimal human interaction with our staff and it shows when real problems come up.
I'm frankly sick of hacker news being a facebook/google/whatever ticketing system. And yet, there's no alternative.
I remember for a while after Meta bought Oculus, they still had a Human support system. People who's Facebook accounts had been hacked/reset/whatever were buying Quest/Quest2s so they could get support for their Facebook account. It's obnoxious the extremes we have to go to. Especially when these representations of ourselves might reflect on us poorly through no fault of our own, and we have no recourse.
As oppose to zero support now though. They only really need a queue. People would accept it if support got to their ticket in like a month from when they put it in. Hell they could even charge for customer support like $50 per hour or whatever and people would gladly pay it.
How many languages does FB support in how many different legal jurisdictions?
If you hire the cheapest WFH customer support in the world, and provide a minimal service that was slow as heck, you couldn’t even setup a global program legally and in most languages for users for $10 million a year even if you charged for support tickets.
It's one of those things that we script in to make it feel more comfortable for humans - add in those little things that we're used to.
I'm reminded of a national tour put on by Nissan for the All-Electric LEAF when it first came out. We were told by our presenter that there was an aluminum cover under the hood designed to look like an engine block - apparently it was discomforting to people to open the hood and not see that component.
I almost guarantee they have an inside man that they pay off to do this for them.
I mean, they are crypto bros. They can crypto pay someone under the table.
There's no transparency or even a support system. If the person gets caught, 99% chance facebook just lets them go. Their internal ticketing/debugging/support systems are very likely outsourced or low-pay workers or foreigners, and it won't be worth it to the company to sue them. Then people will know it happens.
The problem is, Due Process means a human - probably paid very little - gets the power to overrule any technical controls. So maybe your account is protected by $$$ A+ security, no chance it can be breached, but oops, the "Due Process" person was just handed $100 cash to override that and allow this random person to become Justsignedup.
So you might actually be better off with a Google situation where the company can't be bothered to hire anybody to be in that role, than a situation where they hire a bunch of minimum wage workers in the cheapest economy with plenty of Internet and don't care about oversight.
Ha, they don't even 'hire' those people, they are contractors not employees. Contractors don't get benefits, unemployment, etc. And they can be short-term contracts where you cannot get back-to-back contracts, so constant turn-over.
I disagree, I think the #1 problem with the people who run giant companies is they conspire with elected officials and others in the ruling class to keep and horde wealth and power over others.
One of the major problems with social networks is zero due process, and clearly corporate backed networks manipulate and censor their users in pursuit of the above (e.g., see Twitter Files), but lack of fairness is not unique to corporations. Moderators who are drawn to the role "out of the goodness of their hearts" are among the most vicious, petty, vindictive, capricious, hypocritical, narcissistic, and unjust arbiters I've ever encountered. They also are the best of the best, but those ones are few and far between, and many tend to burn out as communities grow whereas the former type are a dime a dozen and thrive in the role. This is the main reason why I'm not all that hopeful for mastodon or not-corporate social networks.
> So you're maybe thinking "Instagram must have a process for this, something you can do when your account is hacked?" and the answer is... kinda, but also it's completely useless. You follow the account hacked form on the website and it just endlessly redirects you to the "I need help logging in" page. If I follow the "I can't login" process for the handle they stole Instagram wants me to enter a previous password for the account, which I can't do because it's brand new (I tried).
My mom got hacked last week and I helped her recover her account and was absolutely appalled at the state of Instagram for this stuff.
* As they said, the official process to get your account back is an infinite loop back to the beginning of the process. If you follow the steps in their guide, you end up clicking a link that takes you back to the guide.
* Craziest to me, the "New Login to your account" email that you get when someone logs in from a new device includes a helpful "click here if this wasn't you" link, but that link is a 404.
* If someone hacks an account without 2FA, the first thing they do is enable 2FA on their own device, and the published process to recover your account no longer works whatsoever. The original owner is not able to turn 2FA off or to confirm it wasn't them. This makes 2FA weaponized as a hacking tool rather than a security tool.
* At this point, the only tool is an automated process where you submit a video of your face to prove it's your account. Online you can find endless complaints by people who run e.g. brand accounts because this facial recognition system doesn't have a face to key off of, and just fails on repeat. Plus I'm pretty sure I could use this to hack an account with a few NVIDIA tools.
I never used Instagram much (anything attached to Zuckerberg is rotten), but I recently tried to log in to check something via desktop. I have email-based 2FA set up, so it said to check my email for the code (while showing me my correct email address).
The email never arrived, I checked the spam folder and all that. After a while I clicked "Send a new code" and got the error "Select a valid choice. 0 is not one of the available choices." Oooooookay. I cleared cookies etc and tried again, and it continues to demand, while failing to send, a confirmation code. But this second login attempt did cause them to send me an automated "New login to Instagram" email.
Lastly, I clicked the Get Support link, and it just pops a dialog that says "If you’re unable to get the security code, you need to use the Instagram app to secure your account." I do not have the Instagram app, and newly installing it while my account is locked would be pointless.
So, I guess that account is unrecoverable now. Great work, Meta.
The underground marketplace for desirable social media handles (OG Handles) was explored in this excellent episode of Reply All: The Snapchat Thief [1].
In that story the basic technique was a SIM-swapping attack [2]. Fraudster calls the cell provider, claims to be the victim and that they lost their phone. Cell provider then ports the phone identity over to a new SIM. After that the fraudster just resets the account's password and gets the 2FA SMS (or even easier, one-time passwords) to their newly connected phone. Don't know if that same basic technique still applies nowadays, but in any case the most surprising part of the episode to me was how large and mature a black market there was for these account handles.
Love how using a VoIP number would totally cancel out that attack, but so many websites require you to have a 'real' phone number. I assume its mostly to weed out scammers.
Yes and no. No, you can't buy a VoIP number and use it as your contact immediately and indefinitely. You would be amazed at how few companies update their list of VoIP vs POTS/Carrier numbers though. Hypothetically, one could transfer their carrier number to a VoIP provider, and use it for damn near everything. There would be trade-offs [0], of course, but I can attest to its effectiveness as a workaround.
[0] Trade-offs include a glitchy MMS experience, easy, automatic, and built-in call-recording, IVR capabilities to screen unknown callers, voicemail transcription, and the ability/requirement to use an email client as your SMS client. Though you then get to treat SMS and calls as device agnostic - desktop, laptop, tablet, and phone all send & recieve SMS and voice calls
There are hundreds of data brokers selling this type of info. An attacker who has a few minutes and a few dollars to spare will be able to acquire the average person's phone number. The underlying sources vary a lot.
Look up your own name or your friends on a site that is owned by or uses Intelius data, e.g. https://www.addresses.com/ - For many people (not all), their phone numbers come up right away. There are probably 500 different companies or websites doing the same thing.
Maybe I just have better data hygiene than average, but I found that site to be absolutely hilarious. I was able to find myself, but my address was several years and several moves out of date. My phone number was decades out of date and not even really my phone number. (It was a landline phone at my mom's house, with an old pre-area code split area code.)
The first one is indeed much closer for me. Still doesn't have my current phone number and while the broad strokes are there the dates are wildly inaccurate. Looking at my immediate family though, I actually seem to have the worst hygiene! It's 0/5 in providing an accurate phone number for any of us.
There’s a black market business being run by Meta employees, selling the ability to take over these accounts from the inside for a price. They then funnel that cash back to family and friends and launder that cash through various other means.
Instagram itself does this kind of thing. Your handle isn't yours anyway, it's theirs. Instagram owns 100% of the handles and you just have to deal with that- same as every site, but Instagram is well-known for stealing your handle and giving it to someone else.
The took somebody's handle and just gave it to the "royal family" who I guess was so entitled beyond belief that they jut couldn't take the idea that they would need to pick a new name if the one they wanted was taken.
I read this thread, considered sharing here so I'm glad to see it discussed. If you follow the thread he comes to the "conclusion" or suspicion that it was an inside job.
Yeah, a lot of the discussion here is lamenting the lack of any support, but I'm fascinated to know how they possibly could have gained access.
Given the suspicion that it was an inside job, these two different points have something in common, namely an attempt to access the human infrastructure behind the interface. If that suspicion proves true then people compromising accounts are having better luck accessing Instagram's internal levers for account management.
I have a very short instagram handle that I've never used. People are constantly trying to take it over. I get the email "we've made it easy to get back on Instagram" sometimes hundreds of times per hour. I don't think they have any kind of rate limiting or account abuse protections. It's also true that you can disable Instagram 2FA without 2FA via various Facebook apps, which is ridiculous.
Meanwhile, I got locked out of the old FB account, with a passport scan being the only way they're going to open it again.
Strong password, 2FA, email, registered pgp key, and I still have access to everything, yet they still need to "verify", which makes no sense given they (supposedly) don't have any ID of mine from before.
Contrasting that to OP and yeah, an insider sounds like the more likely thing.
There was a story a while back about only fans bribing fb admins to ban competition or something. Would not be surprised if that was the route taken here.
Which was looking extremely suspect considering they were mentioning dates and times prior to the dates at least some of those supposedly bribed parties were even employed by Facebook. There may be truth in the story, but it is somewhat soured by the lies.
Just goes to show that the current state of web security is about analogous to those $5 Master Locks used on gym lockers. Enough to keep honest people honest, but even the slightest bit of intentional attack is all it takes to compromise everything.
It's obvious in retrospect that one of the main ways tech companies make money is scale, without the costs that physical based companies bear with scale.
For example, you go to a shop, and they have employees they have to pay. When the shop scales, so does the number of employees. Tech companies aren't like that though. You write software, then scale it to as many users as possible (billions, in some cases), but their cheat-code, is that they don't provide support of any meaningful kind.
They can get away with it because they're not bound by physical interaction, and nobody's holding them accountable. Law is always understandably slow to catch up, but hopefully we'll get some reasonable regulation around tech soon.
You invested (your time, energy, reputation) into a system which you either knew or could have quickly established, places no value in you as a person and has zero interest in fixing any problems that may affect you. I'm sure many users started using it for nothing of any real importance at first, so didn't let that really worry them. But over time, they invested much more while still in the back of their mind knowing that while the odds are small of anything happening, that if it did, your data and relationships could be taken from you, and possibly even given to others, for reasons you may never even know, or reasons you may know to be false but unable to do anything about the error.
This happened to me with bit.ly, they just for without a reason removed my access to my own username which is username. My other one is from GitHub but the good thing is GitHub just changed my username from username to usernamex probably due to naming collision.
Are IG accounts worth something on the black market?
I don't doubt a few people would want the "Alex Stevenson-Price" alexprice. But, I'm guessing there are a lot more who want the "Other Famous Alex Prices" alexprice.
Yes. I know 4 letter ones (even just random gibberish) are going for ~$50-100. 3 letter ones are $500-1000 at least. So anything which is a dictionary word or a noticeable abbreviation are worth much much more
It's so baffling to me, is there any research on whether a short name benefits marketing outreach or anything like that? I'd think a 4 letter gibberish name would put me off, if anything. I get if it's, like, "Mark" for some famous Mark, but if it was "ghfa", what's the point?
You build your brand from the bottom up based on that handle alone. Totally possible and your example is actually pretty good, no weird letters either (x,q,y,z)
> In 2017, Cessario, a longtime advertising creative who had previously worked on marketing campaigns for Netflix and Organic Valley, released a commercial for Liquid Death canned water. The product didn’t exist yet, but the commercial went viral.
> “The video ended up getting millions of views,” he said. “The page had more followers than Aquafina within a few months, so I think we knew that we were onto something that could be really big.”
That is an oddly depressing thing to me. Creating noise out of nothing with the sole intent to achieve popularity and gain. When so many others try hard to create a meaningful thing or improve an existing one, the easier choice seems to be to just try and "blow up" with the algorithms.
The music industry has been doing similar to their artists. Performers are expected to have a hit on social media before it can be released on Spotify, etc.
I have, over a two year period, been rather excitedly told about Liquid Death from the most surprising people. I mention a two year period because I don't recall anything else being presented to me as this new cool thing over such a long time frame. Something about that brand, in my experience, gets people to feel like 'they found something'.
It really is quite interesting the reaction people have to it. Now what's also funny is that with one exception these half dozen people are never seen drinking LD later on.
I guess I've just never seen such a powerful branding experience with the exception of maybe Gmail or Facebook way back when when they were seen as more exclusive services and people started finding out about them.
The interesting thing with them is that it is entirely brand (and they know it).
Ryssdal: Who is your competition then? Because the beverage space — and now the nonalcoholic water space — is populated by ginormous companies. And for as much success you’re having, you ain’t it. Do you worry about the Cokes and the Pepsis, or you’re like, “Yeah, you do your thing and I’m gonna do mine”?
Cessario: We don’t worry about that at all. Because the hardest thing — anybody can put water in a can, right? But that’s not why we’re successful.
Ryssdal: OK, wait, so why are you successful?
Cessario: Because we’ve built a really strong brand that has created legitimate fandom and obsession for the product. And that is something that Coke and Pepsi historically have been really bad at doing, which is why they acquire companies more so than they create viral brands or fandom on their own.
My IG handle is pretty desirable and was the title in a film. Every few months I get password reset notifications. I get DMed with offers. I also get occasionnal DMing thinking I'm the handle for the artist.
Same thing happened to me. I have the account and the password. But the password reset email is not one I ever used. Tried contacting them for verification and never heard back.
I don't know this person but objectively speaking, given the facts of the situation, I would say that it's more likely he sold his account and now wants it back for whatever reason. Maybe they people who bought it grifted him somehow and managed to reverse payment or something else.
I wouldn't accuse someone of lying when I have no basis to, and I'm not. I'm just saying it's the more likely scenario versus some IG employee risking their high paying career to give some nobody someone else's low value IG handle.
> some IG employee risking their high paying career
I don't think most IG employees have a high-paying career – their support staff are probably located in countries with the lowest possible wages and it would not take a lot of money (from the perspective of the mentioned 'crypto bros') to bribe someone.
Also according to the post those 'crypto bros' wanted exactly _his_ IG handle, not any other 'higher value' handle.
I'm just stating likelihoods. I give him the benefit of the doubt. I only mention this to be conversational and to see if anyone else noticed something that might corroborate the theory.
It makes little to no sense that this would be an inside job. It makes a lot of sense that this person just wants their account back after willfully giving it up.
If you had an inside connection to take over an account, why wouldn't you use it on something much much higher profile and with a lot more (i.e. any) profit potential?
> It makes little to no sense that this would be an inside job.
In your opinion.
I do not share that opinion.
> why wouldn't you use it on something much much higher profile and with a lot more (i.e. any) profit potential?
Because it dramatically increases the likelihood of getting caught. Selling access to valuable but not high profile accounts is exactly what I'd do if I was a cautious insider looking to make a little extra cash on the dark web.
This guy happened to get lucky and his story caught some attention. Most don't.
I have no idea if this particular person did something like that. But as long as the practical tech support for this sort of thing is high-profile social media posts, something like this is going to happen eventually, if it hasn't already. It might be a good idea to hold off on the pitchforks until we've heard from the other side and/or the company involved.
I'm frankly sick of hacker news being a facebook/google/whatever ticketing system. And yet, there's no alternative.