Meta keeps booting small-business owners for being hacked on Facebook

MENLO PARK — Sheela Lalani is one of many small-business owners who depend on social platforms to generate extra holiday revenue. Her Instagram shop with unique, artisan-made children’s clothing—adorably modeled by smiling kids who joyfully twirl in her dresses—has attracted nearly 13,000 followers. She recently rolled out her holiday collection, when suddenly Meta deleted her Instagram account, and any hope she had of promoting her new clothing to followers was dashed. They also disabled her personal Facebook account, her Facebook business page, and her newest Instagram boutique shop profile.

Lalani was dismayed, but then the situation got worse. Despite the disabled accounts, the PayPal account she linked to her social media pages to buy ads to promote her businesses got hit with a $900 charge. She immediately reached out to PayPal to dispute the charge—and is still waiting for a refund—but she also knew that getting PayPal to intervene wouldn’t fix the larger problem. Someone had bought Facebook or Instagram ads with her PayPal account, and she felt she had no way of reporting this behavior to Meta and stopping any future payments because Meta had disabled all of her accounts. A PayPal spokesperson told Ars that they’ve assisted Lalani with getting her refund.

Meta keeps booting small-business owners for being hacked on Facebook

“This is so unfair for business owners and seems criminal,” Lalani told Ars.

What happened to Lalani has happened to seemingly dozens of individuals and small-business owners, as evidenced by their complaints on the subreddit, r/facebookdisabledme. A hacker gains access to a Meta account, then adds their account to the business owner’s ad account before removing the original account owner. At that point, the hacker has taken over the ad account completely. Then, the hacker moves quickly to knock the original user off Meta before they notice the ad account has been commandeered. To do this, the hacker posts inappropriate content like pornography, which quickly prompts Meta content moderators to disable the original account. Once an account is disabled, small-business owners told Ars, they are “in an impossible position,” just as Lalani was. Many business owners told Ars that any attempts to appeal Meta’s decisions are repeatedly rejected.

“Complaints to Facebook have gone essentially unheard,” Darel Parker, who works in network engineering and systems management and also lost access to his business accounts, told Ars.

Parker is compiling complaints on the subreddit. He also launched a website to keep track of developments with accounts disabled by Meta for being hacked. Last week, he said he lost access to several Instagram and Facebook accounts, as well as to two dozen other business accounts that he manages as part of his business. He said that in addition to some users struggling to get refunds after hackers commandeer their ad accounts, business owners suffer emotional distress, reputational loss, and subsequent income loss.

When Parker’s accounts were disabled, he reached out to Facebook by email through its support portal and tagged Facebook and Meta on Twitter, but like many others in the subreddit, he received no response. So, he tried to go above Meta’s head, contacting officials, including the FBI Internet Crime Complaint Center and California’s attorney general.

Other Redditors have posted success stories from contacting the attorney general and pasting letters they got in response. In those cases, the attorney general told Facebook users, “We will write to the company that you have a complaint against and request a response from them regarding your concerns.” But even those Redditors who are successful report that going this route typically takes a month before accounts get reinstated. One Redditor suggested that contacting the attorney general only helped half the time.

A Meta spokesperson told Ars that the best way to notify Meta of issues with hacked accounts is via facebook.com/hacked and instagram.com/hacked.

“We’ve invested significant resources into detecting and preventing these kinds of scams and helping anyone who’s been impacted regain access to their accounts,” Meta’s spokesperson told Ars. “While many of the improvements we’ve made are difficult to see—because they’ve prevented people from having issues in the first place—we know that scammers are always trying to get around our security measures. We know it can be frustrating to experience any type of business disruption, especially at such a critical time of the year. We regularly improve our methods for combating these scams and have built teams dedicated to improving the support we can offer to people and businesses.”

What business owners want Meta to do about it

Meta looked into Parker’s, Lalani’s, and other users’ accounts flagged by Ars, but as of this writing, only some of Lalani’s accounts have been reinstated. For everybody else, it’s still a waiting game.

This scam is likely a tricky one for Meta because hackers gain access to accounts using emails the company believes have been compromised, making account reinstatement still risky. Especially when there’s the risk of the accounts posting content that violates community standards. And while the ad payments would ordinarily be disabled when the account is disabled, the hackers deleting the original accounts as a manager means those ad accounts remain active and exploitable. Some PayPal users claimed they only received partial refunds because they pre-authorized the auto-payment charges while they were still in control of their ad accounts. This leaves open a security risk, Parker says, that has resulted in financial losses for many small-business owners, and Meta knows about it.

Parker told Ars that he feels certain he did not compromise his email, and he joins other users baffled by the hackers’ ability to circumvent Meta’s two-factor authentication when accessing login credentials. Because Parker and others feel Meta could be doing more to protect small-business owners, they’ve contacted a lawyer to potentially file a tort claim against Meta.

“The crux of my complaint, and the reason I believe our claims as a group have merit, is that by disabling a user’s account without warning and without any opportunity to dispute or respond to alleged violations (which Facebook refuses to disclose), Facebook makes it impossible for users to modify or remove connections to financial accounts, thereby placing those accounts at risk for fraud,” Parker told Ars.

Parker’s group hopes to prove that Meta demonstrates negligence by allegedly allowing fraudulent transactions when it’s clear an account has been hacked, profiting from fraudulent transactions and blocking users from accessing disabled accounts to prevent financial losses.

To remedy the situation, Parker told Ars that business owners want Meta to implement a better complaint and response system to escalate complaints when fraud is suspected. They also think Meta should create an easy way for business owners to reinstate accounts when Meta knows they’ve been hacked.

“Facebook encourages businesses to utilize their platform, to become reliant on it for day-to-day operations, and to incorporate it into our daily lives,” Parker told Ars. “But when there is a problem, Facebook provides no viable process to resolve it. While Facebook may not be directly involved in fraud, they are very much enabling it, profiting from it, and providing no recourse for its victims.”

Another small-business owner, a licensed mental health counselor named Amanda Regan, told Ars that she submitted so many appeals to Meta, trying to get her account reactivated, that she seemingly triggered an outdated support message. The last thing she heard from Meta was that the content moderation team is currently understaffed and could not review her issue due to COVID-19. Ars shared screenshots of the response with Meta, but Meta did not explain why Regan was fed this seemingly outdated response.

For Regan, losing her account access was not just about business. It also became deeply personal when her personal account vanished.

“It’s so sad,” Regan told Ars. “My friends are telling me that even the photos I posted of them are gone. I was kinda the group historian.”

By ASHLEY BELANGER/Ars Technica

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.