What happens when your Facebook page is hijacked by a stranger

  • An emergency-room doctor in Detroit and a gym owner in Fargo, North Dakota, have a similar story to tell.
  • Both have been locked out of their Facebook accounts for months and Facebook hasn't been able to help them.
  • The company says its support pages offer instructions on how users can protect their accounts or regain control of them if they're hacked.

You can't find Derek Kennedy, an emergency-room physician intern in Detroit, on Facebook.

Nor will you find Mariah Prussia, a professional fighter and fitness center owner in North Dakota.

At least not under their own real names.

Last summer, their Facebook accounts were hijacked and the passwords were changed, locking them out.

Both could only watch as someone else posted videos and text on web pages they created and whose web addresses carried their names for months.

"I exhausted all the avenues," Kennedy, 30, told CNBC in a phone interview. "I want answers and I want my account back."

Says Prussia, "Individuals should understand Facebook does not have a support number or very good follow-through when it comes to hacking."

CNBC shared the web address of Kennedy's account with Eric Feinberg of the Global Intellectual Property Enforcement Center, which tracks and analyzes terrorism, hate speech and other illegal activity on social media worldwide.

Feinberg says he's not surprised by the hacks and pointed CNBC to YouTube videos with step-by-step instructions, in both English and Arabic, on how to hack into Facebook accounts.

"This is a cottage industry in the Middle East," Feinberg says. As for the hackers' motives, "It's possible they (the hackers) can't have their own accounts under authoritarian regimes," he speculates.

A YouTube spokesperson said any videos that include such content would violate their terms of service, yet a search for them on Thursday turned up thousands of results.

Syria and Turkey by way of Duke and Yale

Kennedy says he realized he had a problem late on the night of July 13, 2017, when Facebook sent him an email alerting him that his password had been changed.

Within minutes, he says, he started receiving a slew of emails alerting him to friend requests from other Facebook users -- none of whom he knew and all of whom had Arabic names and lived in the Middle East.

Alarmed, he tried to log into his account but found the password already changed.

Then Kennedy tried to get in using his security questions. But those had already been changed to ones he described to CNBC as "Muslim-related," which included an Islamic symbol and Arabic text.

"I'm a 34-year-old black man from Syracuse (New York). I don't have any ties that would have brought this on," he says.

Kennedy reported the hack to Facebook promptly via this page, he says, and shared with CNBC screen shots that support the claim.

In response, Facebook received what he described as a generic message, offering no instructions on how Kennedy could regain control of his account.

"Thanks for your report -- you did the right thing by letting us know about this," the message begins. "We've looked over the profile you reported, and although it doesn't go against any of our specific Community Standards, we understand that the profile or something the person shared may still be offensive to you. We want to help you avoid things that you don't want to see on Facebook."

The letter also says that Kennedy could "block...unfriend or unfollow" the person who stole his account.

"We know that these options may not apply to every situation, so please let us know if you see anything else that you think we should take a look at," the message concluded.

Kennedy then sent screen shots of his hacked account, and later had friends report the hack via this Facebook page. But the account stayed up.

"There's no email and no phone number (that was answered)" Kennedy told CNBC by phone.

On Wednesday, CNBC checked the hacked page and found that even though the web address still had Kennedy's name on it, the page shows a user calling himself Hussein Saraj Ali.

According to the profile, Ali is from "Alleppe, Harab, Syria" and lives in "Melikgazi, Kayseri, Turkey." Ali has more than 200 Facebook friends, all of whom have names that are Arabic or Turkish.

The imposter has never made contact with Kennedy, who said that he received a notice last year that his social security number and other personal data was stolen in the major hack of the U.S. Office of Personnel Management that was exposed in 2015.

"I guess someone needed a Facebook account and my password was floating around out there," he says.

After CNBC alerted Facebook to the account and asked for comment, a company spokesperson pointed us to several help pages, including ones here and here, that offer tips on how to keep an account secure. The most important thing a person can do when hacked, Facebook says, is to visit facebook.com/hacked immediately.

"This information can help keep them in control of their accounts," a spokeperson wrote. "For Kennedy, Prussia, and others, we continue to encourage them to follow the instructions at facebook.com/hacked."

Facebook does offer one main safeguard against these kinds of hacks. If a user says their account was hacked, Facebook sends an email to the address originally associated with the account. The user can then click a link in that email to re-associate the account with their real email (instead of the impostor's).

In this case, Kennedy says, the hackers overtook his Yahoo email account along with his Facebook account, so that email was no help.

Another victim, another months-long ordeal

The same misfortune befell Mariah Prussia of Fargo, North Dakota, whose personal Facebook account was hacked literally before her eyes. (There's another Mariah Prussia from Virginia, whose personal Facebook page was not hacked and can be found by search.)

Prussia, 40, owns a fitness center and teaches as an adjunct professor at Minnesota State University Moorhead, and has also fought in eight professional mixed-martial arts bouts.

Before she was hacked, she had multiple Facebook pages: One personal, another for her business, MPX Fitness, and another page to promote her MMA fight career.

On June 6, Prussia was messaging a client via her business page when one of her marketing employees tried to update her MMA fan page and noticed something strange.

"She asked me if I had locked her out of the account by mistake," Prussia told CNBC in a phone interview.

When Prussia went to look at the administrator page, she found that she had also been locked out. When she then tried to reload the page, she saw the text on it had changed to Arabic and the page was identified as belonging to a user named Nizar Sulaiman al-Sawair.

"They were fast. It was crazy how they deleted my (administrative access on one account) within seconds of hacking the other account."

An email that Facebook sent to Prussia the same day alerted her that someone had reset her password from an IP address located in or near the town of Giza, in Egypt:

Prussia says she clicked the "secure your account" link and got a code, but was unable to use it in time to restore access.

Her MMA marketing page was saved by a quick-thinking IT worker who, still with administrative access, deleted the name of the hacker, also in Arabic, from the list of page administrators before the impostor could do the same (to the worker).

Still, Prussia was locked out of her personal and business pages for months. Although Facebook finally took the hacked pages down, she says, she had to create a new business page with a different name, MPX Fitness Fargo.

That hurt her marketing efforts because she lost contact with the followers of her original business account.

"This is my livelihood," she says.

Like Kennedy, she was never able to regain access to her personal account even though she and several friends alerted Facebook to the problem.

"I emailed and reported my account on numerous occasions, as well as had other individuals report the issue," Prussia told CNBC in a Facebook message this week.

Given that Facebook offered little help in resolving the situation, Prussia says she has learned an important lesson. She's added an extra layer of security to her two new accounts and the one that was saved from hackers.

"Two-factor security (authentication) is really important," she says, referring to optional security codes sent to users to confirm their logins.

After repeated attempts to create a new account in her real name, she finally created one using an alias, which she declined to share.

"I don't want Facebook or anyone else to take that one away," she says.