My Facebook account got hacked. Now what do I do?

Earlier this week, my Facebook identity was hijacked. You may be thinking that this happens all the time, and it’s not like my financial information was compromised, so what’s the big deal, right? Wrong. It is a big deal, because someone was trying to pose as me, and could have used my identity for any number of nefarious reasons.

How I learned that my Facebook account got hacked.

In my case, a friend notified me via messenger that he got a secondary friend request from me, and that my account may have been compromised. I immediately posted a message, asking friends if they’d also gotten invites, telling them I was concerned that my account was hacked. I quickly got several comments back, saying that in fact, many did. Heather Drago in Kyoto, Japan was friend requesting them.

While that was happening, I did a search on my name in Facebook, and saw several other (lovely) ladies named Heather Drago, as well as the offending account, which listed Kyoto as my location. When I clicked on it, I saw photos of me and my children, which made me want to throw up. Can you say creepy?

I reported the offending account to Facebook, telling them that someone was impersonating me. I’ll tell you what happened next, but first, let’s get to what you really want to know…

Why do people impersonate Facebook accounts?

Often, these types of fake accounts are created so that hackers (for lack of a better name) can trick your friends into accepting their posts into their timelines. Then they publish deceptive content that lures people into clicking on links that expose them to harmful viruses or cause them to unknowingly share sensitive information.

Other types of hacks include brute-force where a program repeatedly tries to log in to your account, systematically guessing at your password using programs, lists, and algorithms. Once they break in, they gather information about you (financial if possible), and they often go on to use your email and password in other places, like banking and credit card accounts. Or they sell your information.

Ugh. This makes me so angry. But I guess it’s the world we live in now.

If you’ve been impersonated on Facebook, don’t panic. There are steps you can take to harden your account and minimize damage. If it hasn’t, thank your lucky stars, and then take a few minutes to check your account and make sure you’re protected against a possible future attack.

What to do if your Facebook account gets hacked.

Here are six steps to take if you suspect your Facebook account has been compromised.

1. Confirm it’s happening. Notify your friends by posting a message about it. Let them know someone is sending false friend requests as you, and that they should delete them. Also, ask them to report whether or not this has already occurred. This will (a) minimize risk to them and (b) confirm whether or not you have a problem and just how bad it is.

2. Look for fake accounts. Search using your name in the Facebook search bar. Look through the list of accounts with your name. If there aren’t that many of them, click on each one and confirm that it’s legitimate. If your name results in a long list of accounts, scan through it and look for those that don’t have profile pics. Click on those accounts to make sure they’re not displaying your photos or information. Some may even be brazen enough to actually use your photo in the profile.

3. If you spot a fake account, go to the timeline of the offending account and click […] in the top right corner, next to “Message”, and then select Report. A list of possible reasons to report an account will appear, click on “this timeline is pretending to be me or someone I know”.

someone's impersonating me on facebook | how to report

When Facebook asks who the offending account is pretending to be, let them know it’s you (you can also do this on someone else’s behalf), then continue and click to “submit to Facebook for review”, then click done.

4. If you don’t spot a fake account, but still suspect you’ve been hacked, you can report it here. Once you’ve done this, Facebook will guide you through some steps to check your account to see if it’s been compromised.

In either case, your report will be sent to the Facebook overlords, who will then review and decide whether or not to shut down the offending account. You’ll start getting messages about the process as they work through the case. It’s not instantaneous. It may take a few hours to get information back from them.

5. Regardless of Facebook’s findings, immediately change your password and set up extra security measures. Go to settings, and then “Security and Login”.

  • I’ll say it again. Change your password. Impersonating accounts may not have broken into your account, but why risk it? It’s a good idea to regularly change passwords anyway. Now is a good time to make doubly sure your password isn’t causing a vulnerability. When you change your password, make sure it’s unique, meaning it’s not used on any other online accounts.  (More about passwords below.)
  • Make sure that the IP addresses and devices you see listed as logged-in match the ones you are currently using.
    • To see the IP addresses of the computers listed, hover over them with your mouse (on mobile, tap on them). A popup box will appear with a numeric code. That’s the IP address: a unique identifier, usually for a computer, sometimes for a network or internet service provider (ISP).
    • If you don’t know your IP address, Google “what is my ip” in your web browser. You will see a box with your computer or network’s IP address right at the top of the search results page. I’ve blacked mine out here. Your number will appear above “your public IP address”.what is my IP
    • If any of the active computers listed do not match your IP address, click on the three dots to the right of that listing, and then “Not You?” to report it.
  • Set up alerts about unrecognized logins.
  • Set up two-factor authentication. This will send you an alert on your phone or via email letting you know when any new logins occur. This means that when YOU login to Facebook, you’ll have to (occasionally) confirm it’s really you. Yes, it can be annoying to have to stop and take this extra step, but it’s really the safest option.
  • Revisit your privacy settings. This is just as important as security. If your Facebook profile and postings are public, complete strangers can view your photos, location, and information about your family in searches off-platform, like in Google.
    • Make sure your posts, friends list, and contact information is only being shown to who you really want it to be shown to.
    • Think about who can contact you and reset if necessary.
    • Same with look-ups. Do you want people to look you up on Facebook using your email address or cell phone number? If not, make sure this feature is turned off.

6. Audit your other online accounts and make sure that you’re using good password hygiene:

  • Use unique passwords for every account.
  • Use strong passwords that will be difficult to guess. A good rule of thumb is to use a combination of two or three common but unrelated words, and then mix in upper/lower case characters, numbers, and special characters. You can also use an automated strong password generator, like this one.
  • Document your passwords, and secure them in a safe place. Some IT professionals recommend the old school system of writing them down on paper or in a notebook. If you do this, keep the list at home or in your office, ideally locked up, where prying eyes can’t see it. If you prefer a more modern solution, there are several password vault apps out there. When looking for an app, make sure it’s a paid app, with good reviews, and that it has back-up options (so you can retrieve your passwords if something happens to your phone or computer). I use mSecure and have found it to be very helpful.
  • Use two-factor authentication on every online account that you own, whenever possible.
  • Set up login alerts wherever they are offered, so that you know if someone is logging into your account.
  • 2019 Update: This blog post by VPN Geeks has some very good information about creating strong passwords along with reviews of a few different password vaults.

So what happened after I reported the impostor to Facebook?

Well, they sent me an email and very politely thanked me for helping to make Facebook better by reporting the incident. You’re welcome.

Then they said that it’s very important to them to make Facebook a safe and welcoming place, but that the reported account didn’t violate any of their standards (disagree!). When I checked again, that account was gone. The offending party may have blocked me, or they may have been removed. I don’t know. What I do know is that I lost 4 hours of my life tracking down what happened and then auditing the security of all my online accounts.

My big take-away is this: be vigilant and diligent about online privacy and security.

I have to be on Facebook every day because of what I do. Leaving the platform is not an option for me. But after this little episode, I will be even more careful than usual about my online profiles and information.

But hey, it’s not all bad. I got this blog post out of it!

P.S. This may be obvious, but just a reminder. What to do when you get friend requests from folks you’re already friends with? Make sure you haven’t unfriended them for some reason, and if you haven’t, then delete the request.