News
Data and Information

‘Not Our Problem’

Hacking victims need help from the social media and other big tech companies through which they were hacked; many are not getting it.

Posted
Credit: Getty Images cybercriminal emerges from manhole-cover app icon on mobile phone screen, illustration

Social media and technology companies are neglecting hacking victims.

Cybercriminals are using nefarious means to control user accounts, commit fraud, and violate consumer privacy. The companies that provide those accounts are blaming the victims and leaving consumers to find their way through the mess.

On March 6, WIRED reported Meta, a Menlo Park, CA-based social technology company, was abandoning Facebook and Instagram users who experience account-takeover attacks as criminals use stolen passwords to displace the rightful account holders. The previous day, 41 state attorneys general wrote to Meta chief legal officer Jennifer Newstead about Meta’s failure to help affected users.

State governments are helping users at great expense, even as Meta profits from ads that attackers place using funds from hacked accounts, the Attorneys General letter claimed. States are spending on response efforts to lessen victims’ pain, though the attorneys general assert Meta should bear the responsibility … and the expense.

The cost of hacks is high. A study from CoinJournal identified the 10 U.S. states with the highest average financial losses per victim of cybercrime. Alabama ranked highest with an average per-victim loss of more than $50,000. New York was second, with an average loss of more than $30,000. The study analyzed 2022 data from the FBI Internet Crime Complaint Center.

According to the attorneys general letter to Meta, account takeover complaints to the New York State Attorney General alone have risen tenfold from 2019 to 2023. The attorneys general demanded immediate action from Meta. (Meta did not respond to a request for further information as of this writing.)

Account takeover sets back Facebook business user

Andrew Lock, a Facebook business user, recently suffered an account-takeover attack. “I opened my account on my phone and it had logged me out. When I tried to log in, it wouldn’t log me in,” said Lock, owner of The Travel Pro Show, a Las Vegas-based online show for frequent flyers and business travelers.

Lock reset the account’s password, but then the account’s two-factor authentication (2FA) failed. The 2FA is additional proof beyond a password that the real user is logging in. It can be a secret question only the user can answer, a random number on a smartphone to enter, or a code from a smartphone Authenticator app to enter within a limited time. Search and software vendors Google and Microsoft, among other companies, offer Authenticator apps.

Lock continued, “I looked through my spam folder and saw an email from Facebook that said the email on my account had been changed. I clicked the link [in the email] to say it wasn’t me [who changed it]. But the link had expired.” Facebook sends notices of account changes so users can confirm whether they made those changes.

Lock eventually found a Facebook link where he could upload his identification to resolve the issue. After multiple attempts, Facebook replied it had reset his account. Yet there was still the issue with 2FA.

“I confirmed through talking to other people the 2FA had been hacked. I finally got it unlocked by uploading a picture of my ID and a note in the same photo that said my 2FA is hacked; I need you to reset it,” said Lock. When Facebook reset the account again, it did not ask Lock for his 2FA, so he was able to log in.

It took Lock about a month to get back into his account. “If there was an option to email someone or call, I would happily pay for that. But they just don’t do that,” said Lock.

The logic behind lax support for victims of account-takeover attacks could be financial. “Assuming the claims of the Attorneys General are accurate, it probably makes more sense financially not to aid the users with hacked accounts because the penalty that Meta might expect to pay is less than the money they made or saved by not helping users,” said Doug Schuler, president of the Public Sphere Project, a Seattle-based nonprofit that studies and promotes civic intelligence.

Not Just Meta

Meta is not the only technology giant in this position. Other companies, such as Seattle-based global retailer Amazon, and San Jose, CA-based streaming media platform Roku, also appear to neglect consumers when someone hacks their users.

According to TechCrunch, in 2019, a security researcher found more than 1,500 Ring doorbell users’ passwords and email addresses on the dark web, the Internet’s version of an underground marketplace. The leaked data included users’ time zones and doorbell locations.

That same year, criminals were hacking consumers’ Amazon Ring doorbells. “Some hackers asked individuals in their living rooms what they were watching on TV through Ring doorbells,” said Star Kashman at C.A. Goldberg PLLC, a Brooklyn, NY-based law firm, who is an award-winning cybersecurity and privacy law expert. Consumers have used Ring devices as indoor security cameras. The devices have microphones and speakers, so the criminal hackers were able to see, hear, and speak with the Ring users in their homes.

In December 2019, CNN reported a criminal hacker had used a Ring security camera to watch an eight-year-old girl in her bedroom, while telling her through the device speaker that he was Santa Claus. The criminal tormented the girl and had her screaming for her mother, according to CNN.

Consumers alleged in a class-action suit that Amazon responded to their claims about the Ring abuses by victim-blaming, attempting to explain away the issues and offering little to no help, according to Kashman. “Amazon failed to be helpful to consumers when they realized they were in danger because of the inadequate security of the devices,” said Kashman, who specializes in cases involving personal injury against big tech.

Incensed, Justin Cappos, associate professor of computer science and engineering at New York University’s Tandon School of Engineering, said, “It’s crazy to me they [Amazon] would sell a highly sensitive device like an Internet-attached camera with a speaker to consumers and rely on outdated authentication technology like a password and username.”

Amazon Ring did not comment. Litigation against the company is ongoing.

Don’t sue Roku

Criminals recently hacked user accounts for the popular Roku set-top boxes and TVs, which access streaming networks and shows from the Internet. Roku sent breach notifications to users in response. The streaming platform company blocked device access until users agreed to newly modified terms of service, which include agreeing not to sue the company.

According to a Maine.gov data breach notification, cybercriminals hacked more than 15,000 Roku user accounts between the end of December 2023 and mid-February 2024. According to BleepingComputer, cybercriminals used credit cards stored in hacked accounts to buy Roku hardware and subscriptions.

In the first week of March, many users commenting under forum usernames on a Roku community thread discussed how Roku had disabled their devices until they accepted changes to its Terms and Conditions (T&C). According to the thread, users who read the T&C learned that by accepting them, they agreed not to sue Roku or join any Class Action suits against the streaming service.

A March 5 TechCrunch article confirmed that Roku had disabled device access until users agreed to new “dispute resolution terms.” According to the TechCrunch article, the terms block users from suing Roku. The terms include “Informal Dispute Resolution” requirements, forcing users to take their disputes to Roku lawyers first.

According to Kashman, Roku published the breach notification after implementing the feature on Roku accounts that forced users to accept new terms before logging in and using their Roku devices. Kashman said the terms included consent not to sue Roku, thus decreasing the consumers’ rights.

Roku might have avoided this mess by building better security into its products from the start. According to Cappos, Roku should have foreseen that cybercriminals could use hacked accounts to make fraudulent purchases when designing the technology. “I cannot believe that Roku would have been so negligent with their security had the company, instead of its users, been financially liable for such activities,” Cappos said. 

There are some good apples

According to Cappos, some tech companies outside of social media work with susceptible data and are making decent strides in safeguarding users. Apple’s iPhone, which has a ton of fantastically sensitive data, has various protections that block many types of tracking from apps, said Cappos.

“It makes sense that companies will occasionally make a misstep, but when it becomes a pattern, as with Meta, then a consumer should be very concerned and avoid their products,” said Cappos.

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More