Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Facebook Security

Facebook is Locking Out People Who Didn't Activate Facebook Protect (theverge.com) 42

Posted by msmash from the oops dept.
An anonymous reader shares a report: Early in March, a bunch of Facebook users got a mysterious, spam-like email titled "Your account requires advanced security from Facebook Protect" and telling them that they were required to turn on the Facebook Protect feature (which they could do by hitting a link in the email) by a certain date, or they would be locked out of their account. The program, according to Facebook, is a "security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials." It's meant to do things like ensure those accounts are monitored for hacking threats and that they are protected by two-factor authentication (2FA).

Unfortunately, the email that Facebook sent from the address security@facebookmail.com resembled a rather common form of spam, and so it's probable that many people ignored it. It actually wasn't spam. In fact, it was real. The first deadline to hit for many people was Thursday, March 17th. And now, they are locked out of their Facebook accounts -- and are having trouble with the process that Facebook has provided to get them back in. Those who did not activate Facebook Protect before their deadline are apparently getting a message explaining why they can't get into their accounts and offering to help them turn it on. However, it's not always working.
This discussion has been archived. No new comments can be posted.

Facebook is Locking Out People Who Didn't Activate Facebook Protect More

Facebook is Locking Out People Who Didn't Activate Facebook Protect

Comments Filter:

  • Never interrupt your enemy (Score:5, Informative)

    by Rinikusu ( 28164 ) on Friday March 18, 2022 @02:43PM (#62369599)

    When he's making a mistake.

    Less people on Facebook? fuck yes. Fuck Zuck.

    • I like the way they speak about being locked out of Facebook as if it is a bad thing.

      Seriously, it's the best thing that could happen to someone.

    • And don't tell them to use a known email address. Please facebook continue to use random new domains for every new email type, so nobody can tell them from phishing spam :P.

      @facebook-security.com.. F. off.

  • Sounds good. They are using a risk-based approach to ensure that folks that have accounts on their system that are more highly prone to attack have implemented processes to ensure that compromise does not happen and can be detected if it does. That sounds like a great idea. This makes sure that customers/clients/users are listening to their warnings, derived from real threat intel, and are taking appropriate measures to protect their accounts. Good on FB for forcing this, especially for users that have bee

    • Re:So ... good? (Score:4, Insightful)

      by whoever57 ( 658626 ) on Friday March 18, 2022 @03:08PM (#62369705) Journal

      Sounds good. They are using a risk-based approach to ensure that folks that have accounts on their system that are more highly prone to attack have implemented processes to ensure that compromise does not happen and can be detected if it does.

      Another good idea is to figure out how to get the message to the people affected by this without it looking like a phishing attempt.

      • At the very least, they could just use @facebook.com for important emails. Stupidly, they gave *users* the domain @facebook.com (fbusername@facebook.com) and use facebookmail.com for themselves. Real smart.

        They actually got rid of the facebook.com email service 8 years ago. But continue to forward emails received to your primary email account. I'd think sometime between then and now they could have taken the domain for their own email.

      • Re: (Score:2)

        by dougmc ( 70836 )

        Sounds like they should have sent the message within Facebook itself somehow.

        I mean, Facebook is already really good at sending people notifications, just send them occasional notifications about the requirement.

    • Re: (Score:3)

      by splutty ( 43475 )

      So people that are already 'at risk', and are most likely very 'risk aware' get an email from an address that seems dodgy, with content that seems dodgy, and they toss it in the garbage.

      As they should... Facebook's communication in this instance was really really stupidly done.

      • Email address I got this from was from facebook.com. Not sure what you're referring to....

        • Re: (Score:2)

          by splutty ( 43475 )

          TFA says 'facebookmail.com', which I would immediately flag as fake, to be honest.

        • The summary. They don't use @facebook.com for security - ever since they let users have @facebook.com email addresses from 2010-2014. It's been discontinued for 8 years and they still use the alternate domain for their important emails.

  • A "security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials."
    Meta aka Facebook.

    A strangely Freudian slip to claim that all human rights defenders journalists and government officials are malicious hackers?

    • Re: (Score:2)

      by splutty ( 43475 )

      You see that comma? That should probably have been a semi-colon, but still, it does separate the 'hackers' from the rest.

      • A regular colon might have worked, but a semicolon would have still made it ambiguous. It's practically an orphaned parenthetical. It should have come with a comma at the start AND end right after the words "groups of people." Or maybe the whole sentence could be rewritten to get rid of passive voice.

  • Privacy Rapist locks you out of their service (Score:3)

    by Sebby ( 238625 ) on Friday March 18, 2022 @03:00PM (#62369669)

    Sounds like a win to me.

  • lol (Score:2, Insightful)

    by _0x0nyadesu ( 7184652 )

    Facebook is now the platform for out of touch boomers.

    • Re: Out of touch boomers (Score:1)

      by Anonymous Coward

      This boomer is not out of touch and I blocked FB about 10 years ago.
      There is some truth in what you said but there are millions of non-boomers who use it every day.
      You'd have to pay me $100,000 just to try to create an account but honestly, the sooner FB and all so called social media platforms die a horrible death the better in my opinion.

    • No, Facebook is the platform for everyone. Out of touch boomers are just the people who post on timelines. The overwhelming majority of millennials and younger have a Facebook account. They just don't use it like they did in the past.

      e.g. I only open Facebook to check the local events pages, sign in to Oculus, and to get updates from local comedy clubs and music venues. I also use messenger to communicate with friends back home.

      NFI what's going on on the timeline, that "traditional" facebook went to shit ov

  • The rumor is that Facebook had secretly created pages for people who don't have pages ready to roll as soon as they create one. Does that get protection too?

    Juicy anecdote: My friend is a senior developer in a hot field, AI+hardware working in some medical device company. Some recruiter arranged an interview for her in Facebook. The opening interview shocked the interviewer. Half the questions she could not even understand. He discovered to his shock and horror she does not have a facebook page, has never

  • Facebook *IS* a common form of spam.

  • Anit-phishing trainining (Score:5, Insightful)

    by Nugoo ( 1794744 ) on Friday March 18, 2022 @04:03PM (#62369865)

    A common problem I have with corporate phishing training is that it always focuses on training the recipient to recognize incoming phishing attempts, but it never seems to include a section on how to avoid creating official emails that don't look like phishing attempts. I can't count the number of legitimate corporate feedback survey requests I get that link to external websites.

    • Re: (Score:2)

      by sk999 ( 846068 )

      Or legitimate corporate emails with a subject line like "IMPORTANT INFORMATION!"

    • Re: (Score:2)

      by antdude ( 79039 )

      It's not just corporate. From companies that I use too like medical providers, banks, etc. that don't use their own domains. Confusing.

  • "security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials."

    I've got that POS email, just because I am co-moderator of a couple of retro-animation/anime groups....

    "human rights defenders, journalists, and government officials" my ass...

    PS: Aside from the spammy email reffered in TFS, Facebook warned me/you/us when you [i]opened Facebook[/i] (page or App), so you'd be really stoopid to miss it.

    • > Facebook warned me/you/us when you [i]opened Facebook[/i] (page or App), so you'd be really stoopid to miss it.

      Fun fact: most people don't log into Facebook in any given two week period.

      I know, Metabots can't imagine that.

      • Fun fact: most people don't log into Facebook in any given two week period.

        I know, Metabots can't imagine that.

        I am not a "metabot", but I DO moderate two groups there.

        Part of moderating groups is to access them frequently. Those groups were formed in 2016 and 2017 by other people. They allowed me tp become a moderator in 2021 (pandemic downturn allowed)

        If the groups were in, say, twich, or IRC, I'd had to log into twitch or IRC daily, to, you know, moderate...

  • This was really badly managed (Score:5, Insightful)

    by roc97007 ( 608802 ) on Friday March 18, 2022 @04:34PM (#62369949) Journal

    Although I personally try to keep my head down and am apparently not in the affected group, an activist friend of mine is in this category and did receive the email. As stated in TFA, the email looks just like common spam, more correctly, a common phishing attempt. She ignored it, as most people would, and got locked out of the account which is instrumental in, you know, her job.

    As we've been trained over the last 20 years or so to recognize and ignore phishing attempts, it's no surprise that people ignored it. In fact, you'd have to be rather naive to actually click on the link.

    The way they SHOULD have done it is to give directions on what to click on your facebook page to turn on the feature. This is less risky than clicking on some link in an email, which... I mean really, do you know anyone with half a brain who would do that?

    What I see happening now is a huge uptick in phishing attempts, all patterned after this email, with a link to click on. They'll try to take advantage of users' anxiety that they might be real based on this one that was.

    So, really bad form, Facebook. You locked out people unnecessarily in the name of security, violating the Availability part of "Confidentiality, Integrity, Availability" the three, equally important, principles of security, you trained some subset of your users to do dangerous things, and you gave the phishers a great idea on their next scam. Good going.

    • The way they SHOULD have done it is to give directions on what to click on your facebook page to turn on the feature.

      The proper way to have done it would've been with a login redirect to the relevant information when you visit the site/open the app. Nobody with half a brain clicks links in emails, and any email claiming "you need to follow these steps to update your security" is a phishing scam 99% of the time.

      • The way they SHOULD have done it is to give directions on what to click on your facebook page to turn on the feature.

        The proper way to have done it would've been with a login redirect to the relevant information when you visit the site/open the app. Nobody with half a brain clicks links in emails, and any email claiming "you need to follow these steps to update your security" is a phishing scam 99% of the time.

        Ok I'll buy that. Doing it on login would have been better.

  • I posted,"Putin needs a bullet to his brain". I got a three day ban for bullying. Immediately after the ban expired, I reposted it and got a seven day ban. When the ban expires again on Sunday, I will post it again.

  • Use Facebook onion address if you have to and NEVER enable software 2FA especially with a SMS backup option (Facebook does)

    3rd party company they all outsourced the 2FA by SMS was playing dirty games with government and let me remind you oppressive governments have root access in their GSM networks including receiving any SMS. I know reporters getting hacked because of this and all their inbox leeched.

    They with such CVs and credentials know all of this, they ignore on purpose. Teach your fellow reporters to

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close