How a well-informed tech reporter ended up getting his Facebook account hacked

Peter Griffin

Paul Russell had his Facebook personal and business pages hacked and could get no response from the tech giant. Photo / Supplied

It was a sunny morning in early March when Lily Collins entered my life. After waking up, I reached for my smartphone and scrolled through the Stuff and NZ Herald websites. Then I tapped on the Facebook app to see what friends around the world had been up to overnight.

But I wasn’t able to log in and, alarmingly, I wasn’t Peter Griffin on Facebook any more, I was Lily Collins. The British-American actor is the star of Netflix show Emily in Paris. But I’d never heard of her and, more importantly, why was she now in charge of my 15-year-old Facebook account?

The answer to that question sent me, along with thousands of people around the world, into an endless loop of automated forms and digital dead-ends that revealed a cold reality about the world’s largest social network. Despite having more than 60,000 staff, there’s often no one to talk to when you need technical help the most.

Those of us caught up in the particularly pernicious Lily Collins hack found our accounts hijacked, our passwords changed. In a bid to limit the damage, which could include posting extremist content to our newsfeeds, making unauthorised purchases using credit cards tied to our accounts and messaging our friends with links to malware, Facebook’s automated systems disabled our accounts.

That sounds temporary, reversible. But, to my horror, I found the decision was actually final and no appeal could be lodged, no identification documents presented to prove who I was. There was no email address to write to customer service, no chatbot to spit out annoyingly obtuse answers, no recourse whatsoever.

Internet forums are full of Lily Collins victims. To be clear, the actor has no involvement in the hacking, but obviously left an impression on whoever was behind the keyboard masterminding the attack.

Flagged as malware

How did this happen? How did a tech reporter, who in these very pages has preached the importance of password security, end up getting hacked? The issue actually begins and ends on Facebook. Scrolling my newsfeed a few days before my account was hacked, I came across an advert for a ChatGPT web browser plug-in.

The artificial intelligence bot had taken the world by storm, but at that stage, you still had to visit the OpenAI website to ask ChatGPT questions. Now, using this piece of software, I’d be able to do it from within the Chrome web browser. I clicked on the advert, which took me to Google’s Chrome web store, where I downloaded the plug-in.

To my disappointment, it didn’t work. A day later, Google flagged the plug-in as malware and disabled it, so I deleted it from my web browser. But in the intervening 24 hours, the malware was apparently used to steal the “cookies” in my browser. These are the digital breadcrumbs that follow us around the web, containing our all-important account usernames and passwords.

I had two-factor authentication active on my Facebook account, so should have been sent a code via text message to my phone to approve logging in from a new device. But, according to cybersecurity analysts’ reviews of the Lily Collins hack, the Facebook browser cookies were able to be mirrored on the hacker’s computer and made to appear as though a Facebook log-in was coming from one of my registered devices.