We're not Meta support: State AGs tell Zuck to fix rampant account takeover problem
'We refuse to operate as customer service representatives'
A group of 41 US state attorneys general, tired of serving as a customer complaint clearinghouse for Facebook and Instagram users, have sent a letter to Meta asking it to figure out how to reduce a "dramatic and persistent spike" in account takeovers.
In a letter [PDF] dated March 5, the AGs said their offices have received skyrocketing complaints from Facebook and Instagram users about account takeovers and lockouts since 2022.
In New York, "that number rose more than tenfold to 783 complaints by the end of 2023" when compared to numbers from 2019, the letter cites. Vermont saw a 740 percent increase, North Carolina a 330 percent spike, Illinois a 256 percent rise and Pennsylvania a 270 percent jump, all just within a single year.
"We refuse to operate as the customer service representatives of your company," the AGs said. "Proper investment in response and mitigation is mandatory."
The letter does not detail exact security issues behind the spike in takeover and lockout reports, but they have an inkling why it might be happening: Layoffs.
"While we may not be completely certain of any connection, we note that the increase in complaints occurred around the same time Meta announced a massive layoff of around 11,000 employees in November 2022," the letter asserts.
Account takeovers can happen a number of ways, from simple credential stuffing attacks to usernames and passwords being sold as part of data dumps. There is a known issue at Meta with account takeovers caused by phone number recycling in the US, in which numbers abandoned are given to new telco customers without being unlinked from the old customer's accounts. A password reset request or two-factor authentication code sent to an old number be misused to gain illicit access.
Meta is aware of the problem with account takeovers due to phone number recycling in particular, but brushed off responsibility for the matter last month, saying it's the telco's responsibility to address the problem.
"Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them," Meta told us last month.
- World-plus-dog booted out of Facebook, Instagram, Threads
- Meta kills Facebook News in the US and Australia
- Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers
- Vietnamese attacker circumvents Facebook security with 'DUCKTAIL' malware
"There is a significant risk of financial harm to both the affected user and other individuals on the platform," the AGs said in their letter. With many users linking credit cards to their Facebook accounts, "We have received a number of complaints of threat actors fraudulently charging thousands of dollars to stored credit cards."
The AGs said they've sent their letter to Meta, asking for immediate action to address the account takeover issues, whatever the cause.
"We request Meta take immediate action and substantially increase its investment in account takeover mitigation tactics, as well as responding to users whose accounts were taken over," the AG coalition said.
According to Michigan AG Dana Nessel's office, the group is specifically urging Meta to increase staffing and adopt new account takeover protection procedures, including additional multi-step authentication measures.
It's not clear if the AGs have heard back from Meta, or whether they plan to take additional action if the matter isn't resolved to their satisfaction. We've asked, but haven't heard back.
A Meta spokesperson told us that it already invests "heavily" in training its employees to detect compromised accounts, and that it regularly shares tips with users on how to protect their accounts.
"Scammers use every platform available to them and constantly adapt to evade enforcement," Meta told The Register in an emailed statement. ®