Last Wednesday, I woke up to two emails from Facebook. One let me know that the primary email address on my account had been switched to a Hotmail account I haven't used since 2009. The other let me know the password had been changed on my Facebook account. I'd been hacked. 

Fortunately, both emails contained links to pages where I could secure my account in the event the action was unauthorized. Unfortunately, the pages came up in Turkish. (I'd soon discover why this was the case.) Google Chrome, the browser I was using, offered to auto-translate the text, but the translations weren't very helpful.

 inline image

This was bad. I'm a fairly heavy Facebook user, partly because a big social following is a useful thing for a journalist and partly because I'm a ham who likes the attention I get from posting funny or provocative things. Also, organizing stuff not being a strength of mine, I have a bad habit of treating Facebook as a catchall for photos, email addresses, all sorts of things I want to hang onto. 

Now it was all in someone else's hands. But to get it back, I reasoned, all I had to do was convince a company whose bread and butter is digital identity that I was me. Easy, right? 

Actually: no. I was about to find out just how time-consuming, absurd, and infuriating a process that actually is.  

Panicking a little, I emailed half a dozen people I know who work at Facebook. A few were personal friends, a few PR contacts I know from covering the company. But it was before 7 a.m. in California, so I didn't expect an immediate response.

In the meantime, I knew one thing for sure: This was my fault. Since 2011, Facebook has offered two-factor authentication, a security measure that makes it impossible to log into an account without a one-time PIN you can only receive by text message. Two-factor authentication is extremely secure, but I'd never enabled it. It was also, I realized immediately, really dumb to have an old email address associated with my account. I'd kept it on there in case I ever got locked out of Facebook, but the password on my Hotmail was weak by 2015 standards. 

So, yes: guilty. In my defense, however, I'd had reason to think Facebook was watching out for me. Like many journalists, I'm a verified user, with a little blue check mark to show that Facebook has confirmed my identity. It wasn't an easy status to get. I had to upload my driver's license to get it. 

At least they know who I am. Right? 

Facebook knows practically everything about me. Its facial-recognition software is so good, it recognizes me in photos I'm not tagged in. If, despite that, I had to clear a high bar to prove I'm me, surely anyone trying to pose as me to my thousand-plus friends and 50,000 followers would have to clear the same bar. Right? 

At the suggestion of a friend who speaks computer, I switched browsers from Chrome to Safari and was rewarded with an English version of the Secure Your Account page. It wasn't much use, however. As far as Facebook was concerned, I no longer had an account to secure. The hacker had changed the name, email address, and even profile photo to his own. As far as Facebook was concerned, I was a nonperson. After some trial and error, however, I was able to locate The Account Formerly Known as Jeff Bercovici. It now belonged to a man in Turkey named Hamza. 

 inline image

I clicked the This Is My Account button and answered a security question to initiate a review. It should be pretty obvious, I thought, that I hadn't changed my name to Hamza, changed my email address, moved to Turkey, and had plastic surgery, all within a span of hours.

Come to think of it, it was pretty strange that someone could do all those things without tripping some alarms. As it happens, while all this was going on, I got a text from my bank asking me to confirm a small purchase I'd made at a supermarket, just because I hadn't shopped there before. Isn't changing every detail of your life overnight at least as suspicious as buying a straw hat and an iced coffee? And we're talking about Facebook, a company so niggling about the need for real identities, for a long time it wouldn't even let transgendered people use their preferred names

With pique now replacing my panic, I turned my attention to Hotmail. Microsoft's online account recovery form requires the account holder to supply information about recent activity on the account--people you've emailed, subject lines of those emails, that sort of thing. Like most people I know, I'd stopped using Hotmail around 2009, so remembering the details of the last few emails I'd sent was a tall order. I email-blasted my friends and family, asking them to dig through their old emails to find their last correspondence with me at that address, but what I got back wasn't enough to satisfy Microsoft's security engine. After three unsuccessful attempts, I was told I'd reached my limit for the day. Try again tomorrow.

I finally heard back from one of my Facebook PR contacts, who told me to sit tight while she tried to get my case in front of someone who could do something about it. Later, she told me a hold had been placed on the account. A guy named Andrew from Facebook's Community Operations team emailed me to ask some questions. I answered them and went to bed. 

I woke up Thursday morning to an email letting me know I could log back into my account. Relieved, I did. Only it was no longer my account. Everything had been deleted--my friends, my photos, my posts. Aside from a few page "Likes," all evidence of my nine years as an active Facebook user had been erased. Wedding photos, birthday greetings, random exchanges with childhood friends I haven't seen in 20 years--all of the stuff Facebook mechanically orders you to reminisce about, gone. 

It took some effort, but I stayed calm. It wasn't really gone gone. After all, Facebook itself says it takes up to 90 days to delete your data, even when you want it all erased. I emailed Andrew asking him to restore all that stuff. I quickly heard back. 

"Unfortunately, Facebook does not have the ability to restore content that has been removed from accounts," he wrote. "We apologize for any inconvenience this may cause you." 

"We apologize for any inconvenience"?  

That's when I hit the ceiling.

For nine years, Facebook had been enjoining me to treat it as my phone book, my photo album, my diary, my everything. Yet wherever it had been storing all my stuff was so ephemeral, a half-assed fraudster could wipe it all out irrevocably? After I went on a bit of a Twitter rant to this effect, my Facebook PR contact emailed me again, to say don't give up hope just yet. 

To pass the time, I started ranting again about Hotmail. By now, I'd gotten an email from Microsoft letting me know recovery had failed permanently. There was no recourse--until a college friend who'd worked at Microsoft after graduation saw my increasingly desperate tweets and offered to help out. Within a few hours, Microsoft Outlook's Online Safety Escalations team had taken up the case and solved it. It turned out that technically I hadn't been hacked at all. Hamza didn't have to. Because my account had been dormant for more than 270 days, my email address had gone back into the pool of available addresses.

I wasn't aware of this policy, which creates obvious security vulnerabilities for ex-Microsoft users. (Maybe Microsoft sees it as a customer-retention tool: Keep using your account or have it used against you?) In any case, after determining Hamza's use of my account was an obvious Terms of Use violation--Microsoft's safety team told me he'd also tried to reset my Twitter and Instagram passwords--Microsoft shut it down. 

While waiting on Facebook, I reached out to Hamza. I wasn't expecting a response, but I was curious: As far as I could tell, he'd used his real name. Or at least it was the same name and photo as on his Twitter account, which also links to his  website, where he identifies himself as a "social media expert."

What kind of hacker uses his real name?

Then, after I called him out on Twitter, he even liked a bunch of my tweets. Who was this guy? 

To my surprise, I heard back from him several times. His English was even worse than Chrome's auto-translations, but a friend of a friend translated his Turkish.

 inline image

Hamza apologized for hacking me. He'd done it because he wanted a verified account, he said, but now he felt bad. He had saved my photos and could restore them--if I gave him my password.

I declined this generous offer and asked him why he had tried to steal my Twitter and Instagram accounts as well. He apologized again and said it was only my blue check mark from Facebook he was after.

Then he asked me to add him as a friend.

That Hamza was such a weird outlier of a hacker was partly why he was able to get away with stealing my account for as long as he did. On Friday, I talked to Jay Nancarrow, head of communications for Facebook's security team. He told me Facebook does use fraud-detection software to detect suspicious activity on accounts. Had Hamza, say, sent messages to all my contacts, or liked specific pages, it might have triggered an automatic security review.  But because he didn't, and because he accessed the account using an email address that had been associated with it for many years, he had a window before I was able to report him.

Once I did, his account was eventually suspended--though, weirdly enough, only for a day or so. He's back on Facebook now. As hackers go, he seems relatively benign, so I don't particularly care, but still: Really? 

How could I have avoided all this in the first place? Nancarrow told me what I pretty much already knew. Always enable two-factor authentication, because using it is a much smaller pain in the ass than trying to repair the damage from a hack. By the same token, conduct periodic reviews of the personal info on all your accounts to make sure the information is up to date. Outdated, unsecure accounts can and will be used against you.

Oh, yeah: By the time I talked to Nancarrow, pretty much all of my content had been restored to my Facebook page. I was relieved but, to be honest, not terribly surprised. I may not be Kara Swisher, but I'm still a tech journalist, one who has interviewed Sheryl Sandberg, met Mark Zuckerberg, and covered Facebook extensively. I figured the company would pull out the stops for me. 

But in a funny way, that only served to reinforce the most important lesson I learned from this episode, one about the nature of the big digital platforms upon which we now conduct so much of our lives. They're not our friends. They don't care about us. As an ordinary user, I would have gotten next to nowhere with either Facebook or Microsoft. With both companies, I dead-ended after exhausting all the resources available to the general public. I recovered "my" Facebook account, but there was no button to report that all my data had been deleted, no email address I could report it to.

They always could recover all my content, but as long as they thought I was just another civilian, they weren't going to try. It was only because I happen to have a job that gives me access to people at Facebook--and because I happen to have a sizable Twitter following and went to a college that has a top computer science department--that I got the attention I needed. 

The biggest companies in the online world have hundreds of millions or even billions of users, which can make them seem impersonal to deal with. But it's not impersonal. It's still all about who you know. It's just that for most of us, the answer is: no one.

And that's exactly who most of us are to them.