Kit #1. My email or Facebook y Co. accounts were hijacked

I lost access to my email, Facebook or Twitter user account. What should I do if someone stole my log-in information and I can no longer log in?

One day you switch on your computer and you can no longer log in to your email, Facebook or Twitter account. You are sure that you remember your passphrase correctly and you suspect that someone else has changed it.

What you should do

You need to double-check first of all that you are on the correct log-in page; that the link and interface you are seeing are genuine. Look carefully for slight variations in the URL. It might be useful to ask someone around you to check that the service you are trying to access is not out of order; this sometimes happens even to the biggest service providers.

  1. Reset your passphrase. If you are unable to log in, proceed as if you forgot your passphrase and need to reset it. Almost all online services have at least one way to reset a passphrase and regain access to the account.
    Email: Most email providers will allow you to reset your passphrase, and will send a reset link to a secondary email or a temporary log-in code to your mobile, or ask you to answer a series of security questions. Passphrase recovery options are different for each provider but instructions should be easy to find.
  2. Facebook: Follow the “Forgot your password?” link and identify your account. Then you will be offered the chance to reset the passphrase either through an email to the email address associated with your account or through a text message to the mobile number associated with your account. (Refer to Kit #3 on how to maintain). If you no longer have access to those for any reason or the hacker changed the information in the account, you will have the option to submit a new email or phone number to be used instead, followed by asking your “trusted contacts” to help you in the process. Sometimes you have to wait 24 hours until you can access the account again. If you ultimately can’t regain access to your account, you should consider reporting to Facebook that your account has been hacked.
    Twitter: If you can’t log in to your account, you can request a temporary log-in code to be sent to your email address or mobile phone via SMS. This temporary code is not reusable. You can also request a reset link to be sent to your email address by following the “Forgot password?” link on the Twitter login page.
  1. While you are without access to your account, it is a good idea to have a person you trust to write to your key contacts and warn them that you are without access to your account and someone may be acting as an impostor.

How to prevent future problems

Once you recover access to your service, do the following immediately:

  1. Go to your account settings to change your passphrase and add a secondary email address.
  2. If you can, strongly consider adding a mobile phone number. Having both a passphrase and mobile phone verification is called “two factor authentication” (2FA) and increases the security of your account.
  3. Go to your account’s security settings and activate log-in alerts or log-in verification. On Facebook you can review a list of active sessions into your account and their locations. If you notice any unfamiliar devices or locations, click “End Activity” to end the session.
  4. Review the third-party applications that have been granted permissions on your account. On Facebook you can define your “Trusted Contacts” to help you with future lockouts.
  5. Check carefully all the accounts in your Facebook friend and Twitter following lists to make sure that you are not newly associated with any suspicious, unknown accounts. This is important on Facebook because depending on your privacy settings, your posts could now be visible to these accounts.

Keep in mind

  • The attacker will not always hack into your account and change the passphrase to lock you out. An attacker could gain access to your account to impersonate or survey you. You might not notice that you’re a victim of hacking.
  • Each time you log into your account you establish a new session and when you log out you end it. Always log out from sessions on a web browser. You need to keep an eye on active sessions and activities such as messages, posts, third-party applications and new friends to make sure everything is done by you.
  • Common attacks on Facebook happen through malicious links that appear to be something they are not. These links might reveal your personal information or facilitate an adversary taking control of your account. Do not click or interact with any links or attachments that you get from untrusted people in your inbox, or suspicious links from your trusted contacts.
  • Make sure you always use HTTPS when logging into your accounts. If you are connecting from your phone, try avoiding use of your phone’s standalone application because you cannot control whether or not the connection is secure. Instead, connect to your social network’s HTTPS URL via the browser on your phone.
  • It is true that Facebook might be an efficient tool for organising, but always remember it is not a safe and secure platform. Your friends and contacts can be negatively impacted by flaws in your security practices and vice versa. Conducting activism online is therefore a great responsibility.

Where to find more help

« Go back