A Facebook hacker beat my 2FA, bricked my Oculus Quest, and hit the company credit card

If you haven’t been following the action on Twitter, you may or may not have noticed I vanished from Facebook and Instagram. That was just the beginning. In this post I’ll run you through the timeline, share what I’ve pieced together, and post updates as they unfold. Let me encourage you to follow @CodeWritePlay or @Mechatodzilla on Twitter where I’ll alert you when those updates occur.

CodeWritePlay participates in the Amazon Associates program and may earn a small referral fee if you buy products using affiliate links.

Update 8/20, 9:03 PM – You good folks have commented on the page about what’s going on, posted this article, and warned users not to click on ads using the video. You are the best! Some combination of your reports and my frozen credit card have stopped the scam ads. The video I didn’t put up still remains.

Update 8/20, 11:19 PM – Thanks to your reports and shares, the CodeWritePlay business page has been taken down. This was honestly the best outcome. It wasn’t acceptable for me to be locked out and a scammer to run my page, and there’s no way I was going to return and run it on the platform again. I’m perfectly content leaving Facebook behind. Onward and upward. Thanks one and all.

The timeline

8/19, shortly before 3:30 AM – While I slept like I was dead after staying up too late watching Hulu, my Facebook account was disabled for violating community guidelines. Here’s the message I received:

Hi Todd,

Your Facebook account has been disabled. This is because your account, or activity on it, doesn’t follow our Community Standards.

If you think we disabled your account by mistake, we can take you through a few steps to request a review. You’ll need to complete these steps within 30 days to avoid your account being permanently disabled.

– Email from Facebook

Later – Text from my wife:

You ok hon?

What she saw from her view was a Facebook notification that I’d changed my profile photo a few minutes ago. By the time she tapped on it, my account was disabled. She thought I’d decided to quit Facebook.

Shortly before 5 AM – I woke up to see the texts and emails and knew I was at least a little screwed, but still had no idea the scope of the mess that had begun.

I followed Facebook’s procedure for essentially “clicking here” to dispute the account deactivation which requires you to take and upload a photo of a government-issued ID just to speak with someone. I did this, thinking I would reclaim the account, secure and shut down my pages, and just be done with Facebook. I found it interesting they didn’t let me enter a description or explanation of what happened, so I wasn’t able to tell anyone “I was asleep, someone is going to have to explain to me what even happened,” but I assumed that part would come later. I submitted the ID photo and waited.

They rejected my appeal at that stage about 18 minutes later.

Your Account Has Been Disabled

You can’t use Facebook because your account, or activity on it, didn’t follow our Community Standards.

We have already reviewed this decision and it can’t be reversed.

To learn more about the reasons we disable accounts visit the Community Standards.

My new Facebook login message

I reached the end of the road with Facebook that quickly. None of the help links work for a disabled account, except for the one that allows you to make an appeal which they’d just rejected. Me and Facebook were clearly through.

Then I remembered my Quest headset in the other room.

While I am not a massive presence in the VR community, I did buy a Quest 1 headset two years ago which I use to check out what’s going on in VR development, show it around to friends and family, and keep up with that part of the game industry. I even registered as an Oculus developer and made Unity development content for Patreon for a short time. I haven’t spent a fortune on my Oculus library, but I damn sure didn’t want to lose what I had because some asshole took over my account while I slept.

Too bad, I quickly discovered. I put on my Quest headset and tried to log in with my Facebook account. Just as I assumed, no go. The Quest 1 will let you back out and log in with an Oculus account which I tried, but a message let me know that since I had merged the accounts when they strongly suggested I did, I would have to use my Facebook account. My Oculus library was locked up out of reach.

You Have 30 Days to Request a Review

Hi Todd,

The Facebook account linked to your Oculus device has been suspended. This is because the Facebook account, or activity on it, doesn’t follow our Community Standards.

If you think we suspended your account by mistake, please contact Oculus Support.

Please do this within 30 days to avoid your account being permanently disabled.

If your account is permanently disabled, you will no longer be able to log into your Oculus device using that account. You will also lose access to any apps and games purchased using that account and any existing store credits.

– The Oculus Team

The problem was that they seemed to be referring to the same review process Facebook had just rejected.

By this time our son had gotten out of bed. My wife made him breakfast and we had plans to go play a couple of rounds of disc golf (my current sport obsession) and I wasn’t going to let this absolute garbage ruin his day too. At 8 AM, we headed out and started our day.

11:30 AM – Text from my wife (who works overnight and is now up too late):

Hon, did you buy something on Facebook?

I had not, but I asked her to show me. On occasion I’ve run ads on Facebook to promote CodeWritePlay (this site), GameDev Breakdown (my podcast), and Inside Video Game Creation (my book). Facebook has a system of only billing when you reach a certain threshold, so it’s not impossible that they were closing up business with my page following my ban and charged the outstanding balance. It still didn’t sound right to me, because I’d only spent $10 in recent months and I was almost certain we’d already paid it. She wisely looked it up and saw that Facebook frequently charges for ads in increments of $25 for accounts that don’t have higher thresholds, and that matched this charge. We were still out playing, but I told her to get some sleep and I would look it over immediately when I got home. I received no invoice nor charge notice from Facebook.

Upon getting back to my laptop, I exhausted every possible avenue to contact Facebook. Their phone number listed in the Payments terms and conditions hangs up on you after a short message to visit one of Facebook’s help pages. All support actions in those pages require your account to be active, or they’ll allow you to start the appeal process which, again, they’d already rejected. It’s just $25, I thought, I can wait for the invoice, verify the amount, and keep working on a way to contact them and resolve this.

4:28 PM – My account was hit for another $25.

We were far beyond any possibility of legitimate transactions. I called my bank immediately to dispute the charges. They had to cancel the card completely to ensure no further charges would go through.

Over the course of the next hour, I pieced together what happened.

What the hacker seemed to do

I want to start by pointing out I use two-factor authentication just about everywhere and Facebook is not an exception. Regardless, there’s no question my account was compromised in the night. Next, this person appeared to add themselves as the new manager of the CodeWritePlay Facebook Page. With that control in place, they uploaded something to my account, maybe a profile photo if my wife’s notification was correct, that immediately (if not automatically) resulted in my permanent lockout. I hope I never find out what it was and I hope no one saw it.

With me permanently locked out and with no access to my business Page, this person uploaded an unassuming video about a product (some camera) and started running ads for it using my payment information. With little doubt the link on the ads goes to another scam, malware, or whatever their endgame is. I reported the ad, the video, and the Page, and suggested anyone who wanted to help on Twitter go do the same. At the time of writing, the video is still up.

The fallout

People have felt the need to point out to me that “Facebook bad.” As a tech writer, a game developer, and a content creator, I’m up to speed on this. When Terraria developer Andrew Spinks was locked out of Google and briefly threatened to withhold the game from Google Stadia, my write-up about why the situation was not uncommon at all was one of the most viral takes on the situation, and I was later quoted in The National about the dangers of becoming dependent on Big Tech. The part where I’m a writer and content creator in the space also means I don’t have much choice but to be there.

This has also resulted in a fair amount of online criticisms–some more sensible than others. I’ve read about why I’m a dumbass on Twitter in three different languages in the last 24 hours, and a couple of message boards are discussing how easy it is to hang on to your Facebook account by “not being a bigot.” My results varied. Thanks to the timing, no shortage of friends, family members, and even a few professional colleagues may eventually note that I disappeared. They will all probably wonder if it was something I said.

Granted, I didn’t do myself any huge favors when I published a book this year saying I understood Facebook’s position about Oculus logins and it didn’t bother me much.

Update: I’m pretty wounded now.

When I eventually went back to review the original controversy about Quest headsets requiring Facebook logins, I recalled that only the Quest 2 had the hard requirement that Oculus accounts wouldn’t work.

As I only have a Quest 1, I decided to throw myself at the mercy of Oculus support. To their credit, they reviewed the situation and agreed to “unmerge” my Oculus and Facebook accounts so I could log back into my Quest 1 headset with my original Oculus login. They had no advice on how to resolve the issue with Facebook.

We’re so glad we could help you and make this situation a little better. At this time, we don’t have advice on what to do since it is regarding Facebook. 

– Excerpt from a support email from Oculus

So my Oculus library is back, and I can use it with my rapidly aging Quest 1 headset, knowing I can never use it with a Quest 2 headset, and wouldn’t at this point if I could. There’s no reason for me to buy anything else from the company–hardware or software–and the idea of developing a product of my own for the platform is right out the window. I’ve gone from a position of caution about Oculus + Facebook to a position of “Run, don’t look back.”

From here I have no recourse but to share my experience with others, see if Facebook tries to defend the ad charge disputes, and hope they will shut down the CodeWritePlay Page before the scammer gets angry that my card can’t be charged further and puts up more objectionable content or perpetrates additional scams. Personally, I think it’s very telling that Facebook acts so swiftly to block out the original user who can stop an ad scam, and so slowly to stop a scam ad that they can still bill for. I’m extremely skeptical about the idea that they can’t identify this well-orchestrated pattern and disrupt it earlier in the process before they get to hit the user’s credit card–their current response looks extremely self serving.

Someone asked if I’d consider taking Facebook to court. Initially my answer was, “of course not.” That was when I thought they just kicked me off of the site over a hack. They can do that for all I care. Facebook does, however, have an arbitration clause–a process that does not require a lawyer. Now I’ve identified that Facebook has banned me personally, turned my business entity over to a stranger, and seems to be refusing to act on reports about their abuse on their platform under my name. Would I kick off the arbitration process to get that shut down? I’m actively exploring the possibility.

I’m not hard to contact, and I’ll actively update this article with more as it happens.

Photo Credit: Modded Quest SCP” by Rhys Jones is licensed under CC BY 2.0

Leave a Comment