It was a sunny morning in early March when Lily Collins entered my life. After waking up, I reached for my smartphone and scrolled through the Stuff and NZ Herald websites. Then I tapped on the Facebook app to see what friends around the world had been up to overnight.
But I wasn’t able to log in and, alarmingly, I wasn’t Peter Griffin on Facebook any more, I was Lily Collins. The British-American actor is the star of Netflix show Emily in Paris. But I’d never heard of her and, more importantly, why was she now in charge of my 15-year-old Facebook account?
The answer to that question sent me, along with thousands of people around the world, into an endless loop of automated forms and digital dead-ends that revealed a cold reality about the world’s largest social network. Despite having more than 60,000 staff, there’s often no one to talk to when you need technical help the most.
Those of us caught up in the particularly pernicious Lily Collins hack found our accounts hijacked, our passwords changed. In a bid to limit the damage, which could include posting extremist content to our newsfeeds, making unauthorised purchases using credit cards tied to our accounts and messaging our friends with links to malware, Facebook’s automated systems disabled our accounts.
That sounds temporary, reversible. But, to my horror, I found the decision was actually final and no appeal could be lodged, no identification documents presented to prove who I was. There was no email address to write to customer service, no chatbot to spit out annoyingly obtuse answers, no recourse whatsoever.
Internet forums are full of Lily Collins victims. To be clear, the actor has no involvement in the hacking, but obviously left an impression on whoever was behind the keyboard masterminding the attack.
Flagged as malware
How did this happen? How did a tech reporter, who in these very pages has preached the importance of password security, end up getting hacked? The issue actually begins and ends on Facebook. Scrolling my newsfeed a few days before my account was hacked, I came across an advert for a ChatGPT web browser plug-in.
The artificial intelligence bot had taken the world by storm, but at that stage, you still had to visit the OpenAI website to ask ChatGPT questions. Now, using this piece of software, I’d be able to do it from within the Chrome web browser. I clicked on the advert, which took me to Google’s Chrome web store, where I downloaded the plug-in.
To my disappointment, it didn’t work. A day later, Google flagged the plug-in as malware and disabled it, so I deleted it from my web browser. But in the intervening 24 hours, the malware was apparently used to steal the “cookies” in my browser. These are the digital breadcrumbs that follow us around the web, containing our all-important account usernames and passwords.
I had two-factor authentication active on my Facebook account, so should have been sent a code via text message to my phone to approve logging in from a new device. But, according to cybersecurity analysts’ reviews of the Lily Collins hack, the Facebook browser cookies were able to be mirrored on the hacker’s computer and made to appear as though a Facebook log-in was coming from one of my registered devices.
None of my other accounts were hijacked, just Facebook. After the shock of being locked out, ambivalence set in. I’d scaled my Facebook usage right back, anyway. Now was perhaps the time to exit Mark Zuckerberg’s world entirely.
Suspended account
However, like Paul Russell, a Tauranga osteopath and former drummer for iconic 90s band Supergroove, I found leaving the Facebook world had larger ramifications than anticipated.
“You’ve got all these networks that are held on Facebook and suddenly you don’t have contact details for these people,”says Russell, whose Facebook account was hacked in 2021, long before the Lily Collins hijackings. “You don’t know how to get hold of them otherwise, because this is how we’ve engaged for all those years.”
He woke up one morning to find his personal account had been suspended because he had allegedly breached Facebook’s community guidelines. He was able to see the offending content – an image of the Islamic State flag. But that was just the start. Russell and his bandmate in Midwave Breaks, a new rock act based in Tauranga, had just announced their first show and launched an online campaign to create some buzz.
Russell controlled the band’s Facebook page and another page to promote his osteopath clinic, both linked to his personal account. The hacker then proceeded to take over both business pages, replacing Russell as the account administrator.
“The band wasn’t returning a viable income, but my osteo clinic, that’s my mahi, that’s my bread and butter,” says Russell, who had a credit card loaded into Facebook.
Hackers target legitimate business pages so they can use stolen credit card details to run ad campaigns for scam products – or ads directing people to sites containing malware.
Russell quickly cancelled his credit card, which turned out to be a very smart move. The Midwave Breaks Facebook page was about to undergo a transformation. “I looked online and we had literally become a Bulgarian-run jewellery store,” he says.
No longer the administrator of those pages, Russell found there was little he could do about it, despite his desperate efforts to contact Facebook.
“I was just going through all of those automatic channels and getting nowhere,” he says. “That’s when I reached out to Paul.”
Paul Spain, that is, the Auckland-based tech commentator, futurist and founder of managed services technology provider Gorilla Technology.
Spain is a friend of Russell’s and had the same trump card to play as I did – we had contacts at the local public relations firm that represents Meta, Facebook’s parent company. About 10 days after asking the PR company for help, I was sent a six-digit code to log into Facebook. It allowed me to reclaim my account. Normally, Facebook lets users change their account name only every 60 days, but last week it manually overrode this provision for me and changed my name back to Peter Griffin – thanks to the PR company’s intervention.
Russell says it took about two months for his account and pages to be restored, but his osteo clinic page was left with a rogue user attached to it. He ended up wiping the page and starting again.
We were lucky, able to pull strings with contacts to get Facebook to act. But thousands of others have nowhere to go.
Password manager
What’s the lesson? Yes, it comes back to basic security hygiene.
“It’s quite embarrassing. I was one of those people who had two or three passwords, not just for Facebook but for everything else in my life,” says Russell, who didn’t have two-factor authentication active on his account.
It’s possible that the username and password he used to access Facebook were stolen from another account and sold on the dark web to hackers who tried their luck logging into his Facebook page.
He now uses a password manager to create complex passwords for each online service he uses. In my case, the hack was more complex, with both Facebook and Google letting me down – Facebook for advertising the malware-infested ChatGPT plug-in and Google for allowing it into its Chrome store.
Facebook hasn’t made any official comment about the Lily Collins hack yet. A recent Facebook press conference I attended celebrated the fact it had amassed two billion daily active users. But only big advertising spenders qualify for help from human customer-support agents.
“Nothing is free,” Russell rightly points out. “We are giving them a hell of a lot of data. You really have to play the game to some degree, whether you want to or not.”
This is unfortunately the cost of that.
