Meta workers hijacked user accounts in exchange for bribes, report says
REVEALED: Meta fires dozens of workers who ‘hijacked user accounts in exchange for bribes’ using a tool for restoring lost passwords called ‘Oops’
- Meta has grappled with abuse of its internal account recovery tool, report says
- Dozens of employees and contractors have been fired in the past year
- They allegedly used insider access to hijack accounts, sometimes for bribes
- Facebook has an internal system called ‘Oops’ for restoring account access
- It is supposed to be used for friends and family of employees or celebrities
- But a ‘cottage industry’ of insiders selling access reportedly sprang up
- Meta says it will ‘will keep taking appropriate action against those involved’
Meta has fired dozens of contractors and employees in the past year for using internal tools to compromise or take over Facebook and Instagram accounts, in some cases allegedly for bribes, according to a new report.
Workers at the social media giant, including contractors working as security guards, have been accused of abusing their access to an account recovery tool known as ‘Oops’, the Wall Street Journal reported on Thursday, citing documents and people familiar with the matter.
Oops, short for Online Operations, was created in Facebook’s early days to allow employees to help their friends and family, or high-profile users like celebrities, to regain account access if they lost their password or were otherwise locked out.
But a ‘cottage industry’ of insiders willing to sell their access, often through intermediaries, has sprung up, creating security headaches at Meta, according to the Journal.
In one case, model Brooke Millard says she paid a broker $7,000 to regain access to her own Instagram account, which has about 650,000 followers, after she was locked out for reasons she didn’t understand.
Model Brooke Millard says she paid a broker $7,000 to regain access to her own Instagram account after she was locked out, amid reports that some Meta insiders have sold their access to account recovery tools to those willing to pay
Meta has fired dozens of contractors and employees for using internal tools to hijack Facebook and Instagram accounts, in some cases allegedly for bribes, according to a new report
Meta says that said buying or selling accounts or paying for an account recovery service is a violation of the social network’s terms of service.
‘Individuals selling fraudulent services are always targeting online platforms, including ours, and adapting their tactics in response to the detection methods that are commonly used across the industry,’ Meta spokesman Andy Stone told the Journal.
Security guard Kendel Melbourne was among those accused of abusing internal tools. He denies any wrongdoing
He added that the company ‘will keep taking appropriate action against those involved in these kinds of schemes.’
In at least two cases, contractors working as security guards at Meta were accused of abusing their access to Oops to hijack user accounts.
The security guards, employed by Allied Universal, were given access to Meta’s internal network as part of the gig.
Although it was not included in their training, this access allowed them to send requests for account resets through the Oops system.
Kendel Melbourne, one of the former guards who was fired last year, was accused of helping ‘third parties to fraudulently take control over Instagram accounts,’ according to a letter a Meta attorney sent him in July.
Melbourne denied committing any fraud, admitting he had reset about 20 user accounts, but saying he believed he was doing so for friends, family, and other people he trusted.
Meta CEO Mark Zuckerberg is seen at an event last month. Meta says that said buying or selling accounts or paying for an account recovery service is a violation of the social network’s terms of service
‘Unfortunately I have fell [sic] victim to thinking I was helping people retrieve their accounts,’ Melbourne wrote in response to the attorney’s letter. ‘I will take responsibility for that.’
Melbourne told the Journal that access to Oops was a perk of working at Meta, saying ‘they didn’t have any set of rules’ banning contractors from using the system.
Another Allied Universal contractor, Reva Mandelowitz, was accused of resetting user accounts on behalf of hackers in exchange for thousands of dollars worth of bitcoin.
Madelowitz was fired after an internal investigation, but denied any wrongdoing, telling the Journal that she requested about 20 account resets for friends and family.
A Meta spokesperson did not immediately respond to a request for comment from DailyMail.com on Thursday.