It all started with an innocuous message from Facebook that someone close to Melbourne pilot Jake Barden’s home had tried to log in to his account.
It was close enough to where he lived to dismiss it, he said.
“The notification said it was from somewhere in Melbourne and I live in Richmond, so I just assumed it was one of my devices reconnecting to Apple or something like that,” Mr Barden said.
From there, however, things fell apart – and quickly.
Another notification popped up, saying he had accepted a friend request for somebody he didn’t recognise.
Concerned, Mr Barden jumped on to Facebook to change his password. Then things got even more strange.
“I was literally changing my password when I noticed that my profile picture had been changed to an ISIS flag,” he said.
“It was quite creepy. I was starting to get worried but I thought it has to be a hack, someone is hacking in to my account.”
Almost immediately after the ISIS flag appeared, Mr Barden’s account was taken down by Facebook for violating community standards.
“It disappeared completely, and so did my Instagram account, which is linked,” he said.
From there, the hackers turn their attention to their real target – the Facebook account of the aviation business where Mr Barden works.
“I received an email, on my work email address, saying that all of our company administrators had been removed by me,” Mr Barden said.
“So I was getting all these emails from my colleagues saying, ‘What the hell is going on?'”
From start to finish, it took the hackers just an hour to get Mr Barden’s personal Facebook and Instagram pages disabled, then gain control of his work’s Facebook account.
Mr Barden said he later got an email notifying him that the hackers had bought $320 worth of ads with his work’s Facebook account.
“We got receipts and they were ads for an Asian clothing company, it was really bizarre,” Mr Barden said.
Mr Barden said he was frustrated that Facebook, which also owns Instagram, appeared to have done nothing to address the well-known security concerns in the past 10 months.
“I posted about what happened on Twitter and hundreds of people have been contacting me about it, saying they’ve had the exact same problem. Some people have been locked out of their accounts for nearly nine weeks,” he said.
Mr Barden said he had tried to contact Facebook through its customer service channels with no success.
“Our business is now suffering, in difficult times already and Facebook aren’t helping at all. They need to be held accountable for data breaches,” he said.
After nine.com.au contacted Facebook, Mr Barden was able to regain access to his Instagram account, and a spokesperson said the tech giant was working to help him regain access to his other accounts.
“We work hard to protect our community from hackers, fake accounts and other inauthentic behaviour. When we become aware of any account security breach, we work to secure the account and restore safe access to the verified account holder,” a Facebook spokesperson said.
Technology and cyber-security expert Trevor Long previously told nine.com.au that hackers often targeted businesses on Facebook that had used ads in the past.
“They know (they have) a valid payment mechanism set up on Facebook,” he said.
“It means that they can get in and then use their money to buy ads to promote their own business or group.”
Mr Long said people conducting businesses online needed to be particularly vigilant with online security.
The best way to protect social media accounts was by turning on two-factor authentication, which sends a message to the account holder’s mobile for verification every time before they can log in, Mr Long said.
“If you don’t have the two-factor authentication set up, you are vulnerable,” he said.
“I would encourage anyone with a social media account, especially people who have a business that relies on Facebook or Instagram or Twitter, to make sure that both their primary and all other contacts have two-factor authentication.”
Contact reporter Emily McPherson at firstname.lastname@example.org.