(Update UTC 2100: I’ve received a reply from Erik Hjort af Ornäs, the registrar of the site itself, and have included his statement below and in the comments, as well as that of Facebook. Both deny any hacking took place)
A hacker, or group of hackers, has found a back door into taking over Facebook groups, and is now doing so, claiming it to be a public service. It has taken over up to 300 different Facebook groups so far.
This is an example of one:
On each of them the group name is changed to Control Your Info, the group logo changed and its description is altered to
Hello, we hereby announce that we have officially hijacked your Facebook group.
This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.
For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:
Think about the safety in your social media life to the same extent you do in your real life.
Watch the videoclip for more information or check out www.controlyour.info for more tips soon!
We promise to restore your group name and leave the group by the end of next week. Don’t worry – we won’t mess anything up.
A message is then sent to all members of that group.
The method is explained on the hackers’ website:
Facebook Groups suffer from a major flaw. If a administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.
When you’re admin of a group, you can basically do anything you want with it. You can change it’s name, and the groups members won’t even get a notification of it. You can send mails to all members and edit info. This is just one example that really shows the vulnerabilities of social media. If you chose to express yourself on the internet, make sure the expressions are your own and not a spammers. This isn’t some kind of scare tactics, nor is it a hack, it’s a feature that can be used, and is being used, in bad ways. Remember, control your info! Also, this project is strictly not for profit and done for a good cause.
It’s not clear to me how they search on Google for recently departed admins, but I’m sure it’s relatively easy.
Neither is it clear who is behind the website itself. The site is registered to one Erik Hjort af Ornas of Stockholm.
I’m emailing him to seek more information. Here is his statement:
Our main goal is to draw attention to questions concerning online privacy awareness.
We have seen too many examples where friends and relatives of ours have suffered from their lack of in-depth knowledge concerning their online presence. After some research we discovered this is a wide spread problem. People have even lost their jobs over Facebook content. So we wanted to do something about this.
Our method of choice only serves the purpose to prove our point and put emphasis on how easy it is to lose track of a part of your online presence. If we wouldn’t have communicated this way, our message would probably have fallen into oblivion the moment it got out.
So, what exactly did we do and how?
We discovered that many groups on Facebook are left without an administrator. All we needed to find these groups was one quick Google search. The search results also revealed many groups that already had been hijacked by various people. Their intentions remain unclear.
So we simply joined 289 open groups and made ourselves administrators. We did not hack anything. Once we were administrators we owned the groups and could have changed any setting. We chose to change the picture, the name and the description of every group. Our intention was and is to restore these groups to their original form and find a suitable admin among the members. To be able to do this, we first backed up all the data we wanted to replace.
During the process we broke the terms of service, as defined in the Statement of Rights and Responsibilities of Facebook, and were rightfully banned:
§ 4.1 “You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission”.
We created fictive accounts for one reason: we wanted to put focus on our message rather than our persons. It also eased the process of joining and administrating this large number of groups.
Facebook is apparently not aware of this bug in their software. In response to an emailed query, .Facebook claims there is no bug in their software, that any hacking took place, nor, apparently, that there was any mass takeover of groups. According to a spokesperson:
There has been no hacking and there is no confidential information at risk. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to confidential information and group members can leave a group at any time. For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members. The names of large groups cannot be changed nor can anyone message all members. In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.
My comment on this: 300-odd Facebook accounts hacked—or usurped, or hijacked, or whatever you want to call it—is not a ‘rare instance’. What’s more, the groups I checked were very much still active. I frankly don’t find the Facebook response particularly helpful or reassuring.
It’s hard to see how this public service helps—the group, or individual, should be approaching Facebook and helping them plug the hole. This tactic is likely to sow confusion and fear among the Facebook populace, and possibly lead to the erasure of some treasured data on those defaced groups.