Meta employees suspected of selling Facebook account information to hackers

Meta allegedly fired at least several dozen employees who used an internal-use tool to clandestinely access Facebook accounts, selling non-public information and even login details for accounts requested by hackers. Some of those disciplined were subcontractors selected by Meta to outsource the processing of requests for login issues.

The operation to smuggle user data was made possible by “Oops” (Online Operations), a tool developed by Meta that allows passwordless access to any Instagram or Facebook account. Officially, the tool can only be accessed by employees and contributors who are handling requests to recover locked accounts, where users are unable to get their passwords reset by other means.

Specifically, users who for various reasons can no longer log into their Facebook account (e.g. have forgotten their password, have lost access to the device used for two-step authentication, or have been locked out after a hacking attempt has been detected) have as a fallback solution to send a request to Facebook to restore access. But instead of discreetly verifying the information provided by users in order to prove ownership of the account, Meta collaborators would collect and sell the data, sometimes to the very hacker who caused the account to be blocked.

According to the investigations, in the absence of strict control over how this tool was used, some of the Meta officials ended up using the privileges they had obtained at their discretion, making significant gains by selling the clandestinely accessed information. In addition to hackers interested in exploiting sensitive data bought from Meta collaborators, the list of “beneficiaries” could also include companies or businesses interested in obtaining information or hijacking rivals’ Facebook pages.