A hot potato: Meta employees and contractors have had access to an internal system for recovering user accounts for a while now. The deployment of this tool grew dramatically over the last few years, giving even more users permissions. Now, the company appears to be cracking down on access. One reason may be misuse within Facebook's own customer service.

The Wall Street Journal reports that anonymous sources claim Meta has fired or disciplined over two dozen employees and contractors for improperly taking over user accounts over the last year. In some instances, hackers bribed people with account access.

When most people think of account stealing, they likely imagine hackers using tactics like phishing, malware, and social engineering. However, another method involves bribing employees or contractors to hijack targeted accounts.

Some incidents involved employees or contractors, including security guards, helping friends or family members recover their Facebook or Instagram accounts after Meta's customer service proved unhelpful. Furthermore, some individuals retained direct or indirect access to Meta's internal tools after leaving the company, which they used to reach user accounts.

In one example, a security contractor whom Meta fired in 2021 allegedly helped others hijack Instagram accounts after he departed the company. The ex-contractor claims he only helped recover about 20 friends and family members regain access to their locked profiles. Meta banned him from Facebook and Instagram and pressed charges against him for violating the federal Computer Fraud and Abuse Act.

Intermediaries have also taken money from customers to help hijack or recover accounts using connections to staff, which is against Meta's terms of service. An Orange County model paid a middleman $7,000 to retrieve her Instagram account and its 650,000 followers.

At the heart of the issue is a Meta tool called Online Operations (ironically abbreviated to Oops). Oops is supposed to be a last-resort account recovery mechanism and is not meant for Facebook and Instagram accounts. Meta is only supposed to use Oops to help public figures, celebrities, business partners, or friends and family of employees.

Employees file an Oops report by entering an email address associated with the reset account, then identifying the account holder in question. The system then passes the request on to Meta's support team, which handles it case by case.

The usage of Oops has ballooned with the growth of Meta's workforce. Between 2017 and 2020, the number of Oops tasks more than doubled, from 22,000 to 50,270. Meta appears to be reeling in the situation if the sources are correct.