In November 2019, NOI Polls published its public opinion poll which showed that 114 million Nigerians use the internet for social networking. Out of this number, 12% acknowledged that their social media accounts had been hacked. From November till date we have been seeing complaints from users on and off social media about their accounts being hijacked. Spurred by the situation, the NoGoFallMaga Team dedicated a subset of its volunteers to the recovery of hijacked social media accounts. And so far, we’ve received 38 requests and helped recover 21 accounts. Below are a few insights and lessons learned from our expedition.
None of the Hacked Accounts Used 2FA
Despite the availability of Two-factor Authentication or Multi-factor Authentication feature on social networking platforms, we observed that none of the hacked accounts had it enabled. Probably, this may be due to a lack of awareness on the part of the users. If this is the case, awareness needs to be put out there more often.
Another possibility is that the users had not totally bought into the importance of security. Hence, it is imperative that users be made to understand that security is a trade-off. The stress or damage that results from a hacked account far outweighs the slight inconvenience of logging in with 2FA enabled.
Weak Passwords
The use of weak passwords is still an issue. Majority of the hacked accounts had weak passwords, there was even a case in which the victim used a phone number as a password across multiple accounts. The use of simple to remember phrases of information known only to the user, mixed with special characters, need to be emphasized. And the younger tech savvy users should be encouraged to use password managers.
Social Engineering Attacks
Some accounts were accessed using social engineering techniques like sending a message that appears to be from Facebook and asking the recipient to “log in” and using the pretext of doing online trading to get credentials from users. The fact remains that a lot of social media users in our clime have had no form of security awareness training and much needs to be done in this area.
Difficulties Experienced While Recovering Accounts
A number of accounts proved difficult to recover due to the following:
- The hacker also hacked the email account of the victim and changed their email recovery details
- Email and/or phone number used to open the social media account was no longer accessible
- The link in the email from Facebook notifying of a change in email address had expired
- Social media account did not have an email tied to it. Hence, the hacker added his own email than changed the phone number associated with the account.
Recommendations to Boost the Possibility of Account Recovery
Respond Immediately, seek help and take action once you notice a hack. Also, make sure you have a functioning email address tied to your social media account; it should have 2FA enabled and use a strong pass-phrase.
Finally, the NoGoFallMaga Social Media Account Recovery Team is always on standby to help, send us an email at smrecovery@nogofallmaga.org with a description of your issue.