SENT VIA EMAIL AND FIRST CLASS MAIL Jennifer Newstead Chief

March 5, 2024

SENT VIA EMAIL AND FIRST CLASS MAIL

Jennifer Newstead

Chief Legal Officer

Meta Platforms, Inc.

1 Hacker Way

Menlo Park, CA 94025

Re: Meta Account Takeovers and Lockouts

Dear Ms. Newstead:

We, the undersigned attorneys general (the “State AGs”), write to

request immediate action to address the dramatic increase in user account

takeovers and lockouts on Facebook and Instagram. Our offices have

experienced a dramatic and persistent spike in complaints in recent years

concerning account takeovers that is not only alarming for our constituents

but also a substantial drain on our office resources.

In an account takeover, threat actors compromise Facebook and

Instagram user accounts and change passwords so that the rightful owner

cannot access the account. Once threat actors gain access, they can usurp

personal information, read private messages, scam contacts, post publicly,

and take other nefarious actions.

Consumers are reporting their utter panic when they first realize

they have been effectively locked out of their accounts. Users spend years

building their personal and professional lives on your platforms, posting

intimate thoughts, and sharing personal details, locations, and photos of

family and friends. To have it taken away from them through no fault of

their own can be traumatizing. Connections that they made and friendships

that they forged become threatened.

Even more alarming, there is a significant risk of financial harm to

both the affected user and other individuals on the platform. Many use

Facebook as a hub for their businesses or to engage in consumer

transactions through Facebook Marketplace; some users even have credit

cards tied to their accounts. We have received a number of complaints of

threat actors fraudulently charging thousands of dollars to stored credit cards. Furthermore, we

have received reports of threat actors buying advertisements to run on Meta. In some cases, the

ads violate your terms leading to user accounts getting banned. Finally, there are reports of threat

actors posing as trusted friends and offering products for sale, or posing as a friend in need,

seeking money from their “friends."

Below are some examples of complaints showing a user’s frustration at their situation as

they were locked out of their accounts and Meta’s failure to provide help:

“I received a message on LinkedIn from someone that it seemed like my

Facebook account had been hacked. I tried to log-in and recover my

password however I noticed they changed the email on my account and my

phone number is no longer associated with my account. I have attempted to

contact Facebook but there is no customer support and the methods online

are all dead-ends as my account has also been disabled due to whatever

nonsense the hacker was posting.”

“My personal Facebook Account and business pages were hacked in April

2023. The hacker ran inappropriate ads and got the account suspended.

$500 was charged to my business bank account. The account was closed

and the funds were returned. However, communication with my customers

online has been completely disrupted. I have used the Facebook online

support system which requests my ID and a completed form. No one has

contacted me after filling this out.”

“On April 10, 2022, my Facebook account for 15 years was permanently

disabled. I made several attempts over the past 2 years to contact

Facebook to get my account reinstated by sending in letters making phone

calls and filing numerous appeal forms with zero responses from the

company. There are precious, irreplaceable memories I would like access

too with the reinstatement of my account.”

“My Facebook account and my email account were hacked and taken over.

The person changed the email on my Facebook account and deleted my

phone number. They have since, changed the profile picture and have been

posting under my name. I have reported this to Facebook in every way

possible and many of my friends have reported it as a fake account.

Nothing has been done by Facebook and they claim it doesn't go against

their community standards. Facebook needs to get this account back under

my control or take it down. It's basically a case of identity theft and

Facebook is doing nothing about it.”

“My Facebook account has been hacked. I can't get any help from Meta.

There is no one to talk to and meanwhile all my personal pictures are being

used. My contacts are receiving false information from the hacker. The

hacker has changed the phone and email on my account so I can't recover

my account. A few of my friends have notified me of misinformation being

spread on my account by the individual is using my name and likeness.”

“My Instagram business account was blocked…. This is my business

account, which is important to me and my life. I have invested my life, time,

money and soul in this account. All attempts to contact and get a response

from the Meta company, including Instagram and Facebook, were crowned

with complete failure, since the company categorically does not respond to

letters. There is also no answer to the forms provided in their help center.”

The Problem Keeps Getting Worse

Account takeovers are not a new phenomenon. This issue affects all social media platforms

and other online accounts as well. However, the frequency and persistence of account takeovers

on Meta-owned platforms puts it in a league of its own.

For example, in 2019, the New York Attorney General’s office received a total of 73 account

takeover complaints on Meta platforms. That number rose more than tenfold to 783 complaints

by the end of 2023. In January 2024 alone, the office received 128 complaints.

Other states are experiencing similar trends:

• Vermont: 740% increase from 2022 to 2023

• North Carolina: 330% increase from 2022 to 2023

• Illinois: 256% increase from 2022 to 2023

• Pennsylvania: 270% increase from 2022 to 2023

Such statistics are extremely troubling. The substantial increase in complaints tells us that

threat actors are winning the war and running rampant on Meta. While we may not be

completely certain of any connection, we note that the increase in complaints occurred around

the same time Meta announced a massive layoff of around 11,000 employees in November 2022,

which reportedly focused on the “security and privacy and integrity sector.”

Meta Needs to Take Immediate Action

With this letter, we request Meta take immediate action and substantially increase its

investment in account takeover mitigation tactics, as well as responding to users whose accounts

were taken over. This is crucial not just to protect your users, but to reduce the unnecessary

resource burden being placed on our offices to handle these large numbers of user complaints.

We refuse to operate as the customer service representatives of your company. Proper

investment in response and mitigation is mandatory.

https://www.cnn.com/2022/11/09/tech/meta-facebook-layoffs/index.html

We would also like to discuss these issues and concerns with you at your earliest

convenience. Additionally, we would like materials related to: the number of account takeovers

over the past five years; suspected causes of the increase in account takeovers; safeguards

currently in place to prevent account takeovers; current policies and procedures related to Meta’s

response to account takeovers; and staffing related to safeguarding the platforms against account

takeovers as well as responding to complaints.

Sincerely,

Ashley Moody

Florida Attorney General

Kwame Raoul

Illinois Attorney General

Letitia James

New York Attorney General

Jonathan Skrmetti

Tennessee Attorney General

Steve Marshall

Alabama Attorney General

Treg R. Taylor

Alaska Attorney General

Kris Mayes

Arizona Attorney General

Rob Bonta

California Attorney General

Phil Weiser

Colorado Attorney General

William Tong

Connecticut Attorney General

Kathleen Jennings

Delaware Attorney General

Brian Schwalb

District of Columbia Attorney General

Christopher M. Carr

Georgia Attorney General

Anne E. Lopez

Hawaii Attorney General

Brenna Bird

Iowa Attorney General

Russell Coleman

Kentucky Attorney General

Liz Murrill

Louisiana Attorney General

Anthony G. Brown

Maryland Attorney General

Andrea Joy Campbell

Massachusetts Attorney General

Dana Nessel

Michigan Attorney General

Keith Ellison

Minnesota Attorney General

Mike Hilgers

Nebraska Attorney General

Aaron D. Ford

Nevada Attorney General

John M. Formella

New Hampshire Attorney General

Matthew J. Platkin

New Jersey Attorney General

Raúl Torrez

New Mexico Attorney General

Josh Stein

North Carolina Attorney General

Dave Yost

Ohio Attorney General

Gentner Drummond

Oklahoma Attorney General

Ellen F. Rosenblum

Oregon Attorney General

Michelle Henry

Pennsylvania Attorney General

Peter F. Neronha

Rhode Island Attorney General

Alan Wilson

South Carolina Attorney General

Marty Jackley

South Dakota Attorney General

Sean D. Reyes

Utah Attorney General

Charity Clark

Vermont Attorney General

Jason S. Miyares

Virginia Attorney General

Robert W. Ferguson

Washington Attorney General

Patrick Morrisey

West Virginia Attorney General

Joshua L. Kaul

Wisconsin Attorney General

Bridget Hill

Wyoming Attorney General