It was just after 8pm when Marjorie Mae received a message on Facebook from her niece, Emma Kangas, saying she needed help.
Mae froze. Her niece had moved into her house a few months earlier, and together they had been working on reducing the frequency of Kangas’s seizures. Mae was sure her niece was in the house, but she worried she might be having a health crisis in the bedroom a few feet away. Hastily typing “OK,” Mae got up and went to check on her niece.
To her relief, May found her niece in the living room scrolling through her phone. “Are you messaging her on Facebook right now?” she asked, moments later a new message appeared in her inbox.
“Can you lend me $200? I’ll pay you tomorrow with $50 interest.”
Kangas’ account was hacked.
May contacted Public Investigator in December. She said by phone that her 20-year-old niece had been unable to shut down her account and had continued to spam other friends and family with urgent requests for money.
“I reported her, her friends reported her, she opened a new account but the other profile was still showing up and they couldn’t close it,” May said.
After repeatedly reporting that their accounts had been compromised, Kangas and May received two emails from Facebook, both saying that Facebook had investigated the activity on Kangas’ account and found no evidence of suspicious activity.
Because Facebook doesn’t offer the option to speak directly with a representative, Kangas was unable to escalate the issue, instead directing her to the platform’s “help center,” which explained how to report a hacked account.
“I think these companies need to be held accountable,” May said. “Automating and saving costs is great for certain things, but when someone has been hacked and their personal identity and personal data is at risk, they should be able to talk to a live human being and get actual help.”
Since December, Facebook messages from the hacker have been arriving in the inboxes of friends and family.
The Public Investigator contacted Meta, Facebook’s parent company, in December, January, April and May in an attempt to get answers about the hacking of Kangas’ profile.
Company representatives did not respond until late May, when Meta’s director of public relations, Andy Stone, said he would send Kangas’ case to Meta’s investigative team.
“This shouldn’t be the norm,” Kangas said. “I think Facebook should do more to stop this from happening to other people.”
Facebook data breach and hack history
Meta has faced criticism before for its handling of hacked accounts.
In March, 41 attorneys general sent a letter to Meta’s chief legal officer, Jennifer Newsted, alleging that the company had neglected hacking victims, leaving them vulnerable to potential financial damages. The group also included Wisconsin Attorney General Josh Kaul.
“Our office has experienced a dramatic and sustained increase in complaints about account takeovers in recent years, which is not only disturbing to our constituents but also a major drain on office resources,” they wrote.
Dorothea Salo, an information security and privacy expert at the University of Wisconsin-Madison, said Kangas’ experience reflects a lack of regulation of tech companies to address hacks and security concerns for users.
“There’s really no law that requires a certain level of customer service,” Salo said. “U.S. courts haven’t had a clear assessment of what the damages are when your social media account is hacked.”
Salo said many cases involving privacy and protection of digital accounts hinge on whether there is a “legally cognizable harm.” Courts must agree that affected individuals have faced a significant level of harm and that companies like Facebook must take action to fix the problem.
Salo said Facebook is also “notorious” for its poor customer service and technical support, especially for non-English-speaking communities.
“I think they’re so focused on making money through advertising and user surveillance that it’s gotten a lot worse than it needs to be,” she said.
Asked why Facebook doesn’t offer users a live chat option, Salo said it’s probably a matter of scale: Facebook serves billions of users who speak hundreds, maybe thousands, of languages, he said.
“When you have billions of users, you don’t need to worry about just one,” Salo said.
May, who previously worked on AI automation projects in the technology industry, said her niece’s experience was a reminder that human intelligence and interaction are needed to address customer service and other issues, especially for people with developmental or neurological disabilities.
Kangas’ Cash App and Chase bank accounts were also hacked within two weeks of the Facebook hack, but Kangas was able to cancel Cash App payments and close her bank accounts.
May assumed Kangas’ Facebook account would eventually be deleted or returned to her niece after numerous reports from family members about spam and abuse, but in April the messages started coming again, even though the page had been dormant for several months.
“I need your help,” the hacker said in one such message. “Can you lend me some money by tomorrow? I will pay you back.”
Kangas said that when she realized she’d been hacked again, she tried to change the password to her account, but the hacker had also changed the email address, password and phone number associated with her profile.
Beyond losing hundreds of social connections and memories, Kangas is feeling embarrassed about the incident and worried about how her message will sound to family and friends.
“When I would text my family late at night saying I needed help, they all started to worry that I was going to have a seizure,” she said.
Six months later, Meta responded.
In May, after 10 attempts to contact Meta’s media department via email and social media, Stone responded to Public Investigator, requesting an email address to send Kangas an account reset link.
Two days later, when Public Investigator contacted Meta for an update, Stone said the company’s investigative team had not been able to identify any Facebook profiles linked to Kangas’ email address.
A Public Investigator reporter explained that this was because the hackers had changed the email and phone number associated with the profile, information that was also mentioned in a previous correspondence with Meta’s communications team.
On June 4, about seven months after Kangas’ account was first hacked, Stone told Public Investigator that the company had successfully secured her account.
Kangas said Facebook emailed him a password reset code to restore his account, and he was able to regain access within minutes, and he doesn’t understand why the resources weren’t made available to him sooner.
“I have all these photos of my loved ones that I’ve lost that I’ve never been able to see because I couldn’t log into my account,” Kangas told Public Investigator. “So now that I can log into my account, it feels like a weight has been lifted off my shoulders.”
Tactics for securing your social media accounts
Over the past decade, a variety of tactics have emerged to help social media users protect their accounts from hackers.
Salo recommends setting up multi-factor authentication on your social media accounts, which requires both your password and the answer to one or two additional security questions before granting access to your account.
Salo said there are many types of internet scams, including phishing emails with fake links and ransomware, but he said hackers target Facebook and Instagram accounts because they can impersonate the account owners.
“If you can convince someone that a friend or family member is in serious trouble and needs money right away, you can get them to give you money,” Salo said. “So identity theft is what I’m most concerned about.”
Stone said Facebook uses automated technical systems and account review teams to detect “potentially violating content and accounts on Facebook and Instagram.”
Stone did not answer additional questions from Public Investigator, including why emails to Meta’s PR team about Kangas’ account went unanswered for six months, why the company does not maintain a live chat or customer service helpline to address users’ concerns, and whether there are any risks in linking Facebook and Instagram profiles.
Instead, Stone offered a list of security tips to avoid having your account compromised.
Tips include choosing strong passwords and not sharing them across platforms, being wary of malicious software, and using two-factor authentication on your Facebook and Instagram accounts.
Since getting her account back, Kangas has begun deleting some of the posts the hacker had posted to her feed demanding monetary or Cash App payments, and has also let friends know the page was back up and running.
When asked what she would like Facebook to do to prevent experiences like hers in the future, Kangas said: “I wish they would take reports more seriously.”
Tamia Fowlkes is a Public Investigator reporter for the Milwaukee Journal Sentinel. She can be reached at tfowlkes@gannett.com.
More tips to protect your Facebook account from hackers
The federal Cybersecurity and Infrastructure Security Agency recommends a four-pronged strategy for protecting your digital security and personal information online.
- Turn on multi-factor authenticationWith multi-factor authentication enabled, users must enter their password and a separate security question to log into their account. They may be required to enter a PIN number, receive a verification text or push notification to their mobile phone, or use a fingerprint or face ID to access their account.
- Turn on automatic software updates On all your devices. According to experts, systems that are not updated are more susceptible to flaws and system gaps that could allow hackers to access your accounts. To set up automatic updates, check the settings on your devices.
- Use strong passwords Password Manager A tool that generates and stores unique passwords for your digital accounts. Popular password managers include Bitwarden, 1Password, and Dashlane. For Apple users, there’s also the macOS password manager Keychain. Passwords should be at least 16 characters long, unique, never used anywhere else, and ideally randomly generated.
- Think before you clickAccording to the Cybersecurity and Infrastructure Security Agency, 90% of successful cyber attacks start with a phishing email. If you receive an email, link, or message that tells you to change your password or verify your personal information, consider whether the message was sent by a malicious actor.
For more information on how Facebook handles account violations, see below.
About Public Investigator
Government corruption. Corporate fraud. Consumer complaints. Health care fraud. Public Investigator is a new initiative from the Milwaukee Journal Sentinel and sister newsrooms across Wisconsin. Our team wants to hear your tips, follow leads and uncover the truth. We’ll investigate anywhere in Wisconsin. Send your tips to watchdog@journalsentinel.com or call 414-319-9061. You can also submit tips at jsonline.com/tips..
