Kit #1. My email, Facebook or Twitter account was hijacked
I lost access to my email, Facebook or Twitter user account. What should I do if someone stole my log-in information and I can no longer log in?
One day you switch on your computer and you can no longer log in to your email, Facebook or Twitter account. You are sure that you remember your passphrase correctly and you suspect that someone else has changed it.
What you should do
You need to double-check first of all that you are on the correct log-in page; that the link and interface you are seeing are genuine. Look carefully for slight variations in the URL. In particular, make sure that the URL starts with
https in your browser.
It might be useful to ask someone around you, or visit a service-monitoring site like downrightnow.com, to check that the service you are trying to access is not out of order; this sometimes happens even to the biggest service providers.
- Reset your passphrase. If you are unable to log in, proceed as if you forgot your passphrase and need to reset it. Almost all online services have at least one way to reset a passphrase and regain access to the account.
- Email: Most email providers will allow you to reset your passphrase, and will send a reset link to a secondary email or a temporary log-in code to your mobile, or ask you to answer a series of security questions. Passphrase recovery options are different for each provider but instructions should be easy to find.
- Facebook: Click on the
Forgotten account?link on the login page and identify your account. Then you will be offered the chance to reset the passphrase either through an email to the email address associated with your account or through a text message to the mobile number associated with your account. (See Kit #3) If you no longer have access to those for any reason or the hacker changed the information in the account, you will have the option to submit a new email or phone number to be used instead, followed by asking your “trusted contacts” to help you in the process. Sometimes you have to wait 24 hours until you can access the account again. If you ultimately can’t regain access to your account, you should consider reporting to Facebook that your account has been hacked.
- Twitter: If you can’t log in to your account, you can request a temporary log-in code to be sent to your email address or mobile phone via SMS. This can be done by clicking on the
Forgot password?link on the login page, or clicking here. This temporary code is not reusable. If you are still unable to regain access to your account then you can file a support request with Twitter from here.
While you are without access to your account, it is a good idea to have a person you trust to write to your key contacts and warn them that you are without access to your account and someone may be acting as an impostor. You can also consider informing your contacts through the social media accounts that you still have access to.
Once you regain access to your account be sure to review all of the account settings (especially your security and privacy settings) and contacts list to make sure no changes have been made that could compromise your security.
How to prevent future problems
Once you recover access to your service, do the following immediately:
Go to your account settings to change your passphrase and add a secondary email address.
Consider enabling “two factor authentication” (2FA) by adding your mobile phone number to your account. This will require you to enter not only your passphrase, but also a short code received/generated on your phone, which will improve the security of your account.
If you enable 2FA then be sure to save the backup codes that are provided to you when setting it up. These backup codes can be used to log in if you are unable to receive the short code on your phone for any reason (such as if you are travelling outside of the country, or you lose/damage your phone).
Go to your account’s security settings and activate log-in alerts or log-in verification. On Gmail and Facebook you can review recent activity on your account and their locations and sign yourself out of sessions that are unfamiliar.
Review the third-party applications that have been granted permissions on your account and remove any unnecessary apps.
On Facebook you can select a number of friends to be “Trusted Contacts”. If you get locked out of your account, Facebook can send them information to help you regain access.
Check carefully all the accounts in your Facebook friend and Twitter following lists to make sure that you are not newly associated with any suspicious, unknown accounts. This is important on Facebook because depending on your privacy settings, your posts could now be visible to these accounts.
Keep in mind
- The attacker will not always hack into your account and change the passphrase to lock you out. An attacker could gain access to your account to impersonate or survey you. So regularly check on your account activity and make sure you have login alerts turned on (mentioned above).
- Each time you log into your account you establish a new session and when you log out you end it. Always log out from sessions on a web browser. You need to keep an eye on active sessions and activities such as messages, posts, third-party applications and new friends to make sure everything is done by you alone.
- Common attacks on Facebook happen through malicious links that appear to be something they are not. These links might reveal your personal information or facilitate an adversary taking control of your account. Do not click or interact with any links or attachments that you get from untrusted people in your inbox, or suspicious links from your trusted contacts. If a link has been shortened (eg. using bit.ly or goo.gl), then you can use a URL expanding service like wheredoesthislinkgo.com to reveal the actual destination before clicking on it.
- Make sure you always use HTTPS when logging into your accounts. If you are connecting from your phone, try avoiding use of your phone’s standalone application because you cannot control whether or not the connection is secure. Instead, connect to your social network’s HTTPS URL via the browser on your phone.
- It is true that Facebook might be an efficient tool for organising, but always remember it is not a safe and secure platform. Your friends and contacts can be negatively impacted by flaws in your security practices and vice versa. Conducting activism online is therefore a great responsibility.
Where to find more help
- Manage where you are logged into Facebook.
- Recover a lost or forgotten passphrase on Twitter and find out if your Twitter account is compromised.
- Learn some safety tips for social networking sites.
- Review recent login activity on your Gmail account.
- How to Enable Two-Factor Authentication For Your Online Accounts