PORTLAND (WGME) — We share our lives online. Family photos. Health updates. But those years of memories are vulnerable.
Just days after losing her daughter, Wells resident Millie Coombs says she lost something else deeply personal: her Facebook account.
“I just I miss her so much,” Coombs said, clutching photos of her daughter.
In late March, shortly after her daughter Nikki’s death, Coombs’ Facebook account was taken over by a hacker. Friends started calling and texting, confused by posts from her account claiming she was selling Nikki’s belongings. Everything from a couch to a lawn mower.
“I know of at least one person who sent money in for a deposit. He was a friend,” Coombs said.
The hacker removed her email address from the account, locking her out of the profile where she had documented years of Nikki’s health journey. Despite trying every avenue to regain control, she says Facebook was not responsive.
“I’ve said that it feels like losing her. It feels like losing Nikki all over again,” Coombs said.
She’s not alone.
Last year, attorneys general in 41 states sent a letter to Meta, Facebook’s parent company, demanding it do more to address a surge in account takeover complaints. The letter also pointed out that Meta had laid off 11,000 workers, including many from its security and privacy teams.
Meta acknowledged receiving the letter but has not taken strong, formal action.
Eva Velasquez, president and CEO of the Identity Theft Resource Center, says account takeovers are becoming more sophisticated and more common.
“The reality is that most people will not regain access with their accounts, and they’ll have to walk away,” Velasquez said. “So, many of these attacks are automated and require very little skill.”
Velasquez says many users don’t realize their email credentials may already be compromised due to data breaches that have taken place nationally over the years.
“Look, if your email you’re using, it’s already out there. It’s probably been breached in a data breach. Look at the state of breaches. We had a record high, and we continue to see them go up,” Velasquez said.
To protect your account, she recommends:
- Creating a unique password for every platform, with at least 12 characters
- Enabling multi-factor authentication whenever possible
- Backing up photos and important information
- And, if you do get locked out, creating a new account. Then warning others often that the old one is no longer under your control
“They may go dormant for a while, but as long as that account remains available, it can repurpose, it can resurface again,” Velasquez said.
According to the cybersecurity firm Digital Shadows, a hacked Instagram account sells for around $45 on the dark web. A stolen Social Security number? Just $2.
“People tend to think of their social media account as low value. It’s something I talk with friends, I look at funny cat videos,” Velasquez said. “But the reality is, that’s a very valuable account.”
Coombs says she wishes she had known more about two-factor authentication before it was too late.
“I think the one thing that I wish I would have done was back things up,” Coombs said. “So that I would have it.”
The I-Team reached out to Meta multiple times but did not receive a response.
The Maine Attorney General’s Office also offered some advice to our viewers.
A spokesperson says their office does receive many complaints of social media accounts being hacked and used to sell things. The Office recommends if you see this kind of post circulating, or if it happens to your account, flag the post and report it to phish@fb.com. The Attorney General’s Office encourages the consumer to continue to follow up with Meta. If you reach out to the AG’s Office, they will also forward the report to the FTC.
If you’ve been hacked, you’re encouraged to ask family and friends to post a message letting mutual contacts know your account has been hacked. The Maine AG says sometimes you’re encouraged to contact local law enforcement and make them aware.
These are all steps Coombs took in the wake of her account being compromised. She tells us, since our interview, she received some help from Maine’s Congressional delegation to retrieve the account, though it is still limited in what she can access.
