What to do when your Facebook account is “hacked”

I still use Facebook. About twice a month one of my friends posts “My Facebook account got HACKED! I changed by password but they’re still sending friend requests to my friends! What do I do?”

Or something similar.

Rather than re-typing the same basic instructions to people again and again I decided I’d put these handy instructions into a blog post and after this I can just send people this link. Saves me a lot of typing.

First off, if you can log into your account and change your password then you still have control over your account. If you go check your profile and all of the recent messages were posted by you, then no one else is accessing your account either.

If someone is sending friend requests to your existing friends, guess what? They’re not logging into your account to do that. You already have these people as friends, and you can’t send a friend request to someone who is already your friend.

So your account wasn’t “Hacked”. No eViL haX0r took over your account. Your account was “Cloned.”

Cloning is easy to do. This is what cloners do:

  • First they look for someone who has the privacy on their “Friends List” set to “public”. Someone like you.
  • They write down your name, then right-click and download your public profile picture. (Profile pictures are always public.)
  • They create a new account using your name and profile picture.
  • They use your public friend list and start sending friend requests to your friends.
  • After a few days, posing as you, they start hitting up your friends for money or trying other scams on them. “Help me! I’m stranded in [foreign country] and I need money for a [plane ticket/hotel/bail].”

This is what you need to do to fix the problem

  1. Set the privacy on your “Friends List” to “Private”. Now this won’t happen to you again. (probably)
  2. Tell your friends to report the imposter to Facebook. Facebook employees will disable the imposter’s account.

Pretty easy, huh? Here are some detailed instructions.

Set the privacy on your “Friends List” to “Private”

This is what you need to do to make your “Friends List” private. These screenshots were taken from an iPhone, but the same steps apply on a laptop or Android device.

Step 1: Click the Menu button in the lower right hand corner

Step 2: Click on the Gear icon in the upper right corner

Step 3: Scroll down to “Audience and visibility” and click “How people find and contact you”

Step 4: Click “Who can see your friends list?”

Step 5: Click “Only me”

Now the imposters can’t see your friends list and won’t have a reason to clone your account.

Now you just have to…

Tell your friends to report the imposter to Facebook

This is what your friends need to do. (Send them a link to this article if you think that will help them.)

Step 1: Find the imposter’s friend request and click the 3 dots

Step 2: Report the Imposter

Step 3: They’re pretending to be someone!

Step 4: They’re pretending to be a friend of mine!

Step 5: Enter your friend’s name here, select their name from the pop-up list, then click Next

Step 6: You’re done. Click Next to resume wasting time on Facebook

When I’ve reported imposters they’re usually gone within hours.

Hope you find this useful.


Peerio promises privacy for everyone

A new company called Peerio is promising secure, easy messaging and file sharing for everyone. They’re building apps that encrypt everything you send or share, making the code for these apps open source, and paying for security audits to peer-review the source code, looking for security weaknesses.

They’ve put together a short video to explain the basics of what they offer. I thought I’d give it a try and see how it works.

I went to using the Chrome browser, so the home page automatically offered to install Peerio on Chrome.

I clicked the install button and Peerio popped up as a new Chrome app.


Clicking the app brought up the new account screen, with the word “beta” displayed in small type just under the company logo, so they’re letting me know up front that this is going to be a little rough.


I clicked Sign Up, added a user name and email address, and was prompted for a pass phrase.

I have a couple of pass phrases I use. I typed one in, but apparently it wasn’t long enough. I tried another and another. Not long enough. The words “ALMOST THERE. JUST A FEW MORE LETTERS…” appeared on screen. One phrase I typed in had 40+ letters in it, but still the words “ALMOST THERE. JUST A FEW MORE LETTERS…” persisted. Tried again, this time putting spaces between the words. Phrase accepted! Maybe the check is trying to verify the number of space-separated words, not the total number of characters? Anyhow, got past that hurdle.

Next it sends you an email with a confirmation code and gives you 10 minutes (with a second by second countdown) to enter the confirmation code. I guess if you don’t enter it within 10 minutes your account is toast?

Once past that step I was prompted to create a shorter PIN code that can be used to login to the site. The long pass phrase is only needed to log in the first time you use a new device, after that your PIN can be used. I tried entering a few short number sequences. All were rejected as “too weak” so I used a strong, unique password with a mix of upper and lowercase letters, numbers, and special characters. The screen hid what I was typing and only asked for the PIN once, so if I thumb-fingered it, my account was going to be rendered useless pretty quickly. Hopefully I typed what I thought I typed.


Of course to use the service to send messages to people you have to load your contacts in. I added a friend’s email and Peerio sent him an invite. Tried adding another email address and the “Add Contact” form cut me off at the “.c” in “.com” — looks like the folks at Peerio only let you have friends with email addresses that are less than 16 characters long. My friends at, you’re out of luck.


The Contacts tab has sub-tabs for “All Contacts”, “Confirmed Contacts”, and “Pending Contacts”, but the one email address I entered that was less than 16 characters long didn’t show up anywhere (I expected to see it under “Pending Contacts”). With my entries disappearing or truncated, I stopped trying to use the system.

It’s an interesting idea for a service, the source code for the clients is supposed to be available on Github, but the site directed me to for the source, and that link is 404. Searching Github for “Peerio” shows and, so it looks like this is just a case of a BETA web site with a broken link.

Before the developers pay for another security audit, they really ought to try doing some basic usability testing — set up a new user in front of a laptop, and make two videos — one of the keyboard and screen and one of the user’s face, and then watch them try to log in and set up an account. I think they’d find the experience invaluable.

Anyhow, if you’re interested and feel like trying out their very BETA (feels like ALPHA) release, head over to and sign up. If you want to send me a message, you can reach me on Peerio as “earl”.