Here are the top 10 worst passwords of 2018
This story was updated May 16, 2019, to include a response from Facebook.
What happens when a Facebook professional page belonging to a member of Boise City Council gets hacked?
In the case of TJ Thomson, it starts with a struggle to verify a page and continues with a failure to regain access through official channels.
Thomson, who was first elected to the council in 2009, got what he described as a request from Facebook on Sunday to reverify his page. The prompt didn’t ask for a password, he said, but it did send a code to his phone. He tried to input the code, but the website told him it wasn’t valid.
By the next morning, he had lost control of his official Facebook page, “Boise City Council Member TJ Thomson.” He had been removed as an admin, which effectively stripped him of any control he had over the page or any ability to report problems with the page to Facebook itself.
Thomson said in a phone interview Friday evening that he still had access to his personal profile and did not believe it had been compromised.
A personal profile is what all Facebook account holders create. It’s used to share posts to friends, family and other people. A professional page is used for promotion or commercial purposes. It must be tied to the personal profile of its creator, but its contents are separate and always public.
Whoever took over Thomson’s page changed its name to “Boise City Council Member TJ Thomson Slemani Media.” Thomson believes the name is a reference to a city in the Kurdistan region of Iraq, but he isn’t certain.
The hacker posted for the first time as a council meeting Tuesday night was about to begin.
“I had been trying to get ahold of Facebook since Monday at that point,” Thomson said. “They don’t have a phone number, an email. All the forms you can use to contact them are designed for a personal profile, but I needed to use them for my page.”
To try to get the page back, Thomson sent a message to it asking whoever had taken it over to re-add him as an administrator on it.
The response from the page’s new administrator?
“I highly recommend you to create a new page because I see that you did not help your supporters enough.”
The page since appears to have been taken down. Thomson worries about what could happen if it went live again. Posts made from it could look like legitimate news and announcements to anyone not paying close attention, he worried.
Whether new posts from the page “are pornography or terrorist-related, I don’t want to see that stuff out there,” Thomson said.
The last time Thomson saw the page, it still had a photo of him in the Boise City Council chambers and otherwise looked almost the same as before aside from the name change.
Facebook pages run by other Boise City Council members, including Lisa Sánchez and Holli Woodings, do not appear to have any atypical activity.
After getting no useful responses from Facebook, Thomson contacted the Boise Police Department to report identity fraud. The department was unable to help. Because the page is a personal one, not a city one, the city attorney told him the office couldn’t do anything even if it represents him in his official role.
Thomson said he has lost faith in Facebook. He once considered the platform an important way to reach out to and communicate with constituents. Now, he doesn’t plan to use professional pages any longer even if he is able to regain control of his original one.
“I’m throwing my complaints into the void,” Thomson said.
Facebook’s press team did not immediately respond to a Statesman email on May 10 requesting comment on how Thomson might be able to regain control of his page or what sort of systems exist to stop such hackings. The spokesperson for the company responded May 16, telling the Statesman that the company “reached out to the councilman to help him resolve this issue” and encouraged others who had been hacked to use this form on the site.
Facebook offers tips to users on how to keep accounts secure, but even the smartest people can fall for scams designed to collect personal information and gain access to accounts.
Tech publication Wired recommends locking down your account in several different ways to ensure your internet security. That can include weeding out your friends list and checking on what apps have access to your account. Such fixes are proactive instead of reactive, however, and they can’t help Thomson regain access to his page.
“It’s completely hijacked,” he said. “I mostly just fear someone now using it for harm.”