I have been hacked on Facebook multiple times today alone. What do I do?
My Facebook account has had its password changed four times today, and I'm wondering what to do.
The first time, was at 5:02pm. I received an email saying that my password had been changed. I recently moved to Canada (from Australia), but the email informed me that someone from Perth, Australia had changed my password. At 5:08pm, I had changed my password again; nothing particularly secure, but I added five symbols and numbers to the end of my previous password. I figured that putting up some small roadblock might make them stop targeting me. I got facebook to log me out of every device, and checked my recent activity, and confirmed they hadn't managed to do any other damage.
The second time was 5:35pm. Now the login came from Sydney, Australia (all the way across the country). I responded at 5:43pm. Again, I logged out of every device, made sure they had done no damage. This time I enabled 2-factor authentication, sending messages to my mobile phone. This is a step I have been reluctant to do for a very long time, for a number of reasons. I gave Facebook my brand new Canadian mobile phone number, and it did start sending me codes when I logged in again. I also chose a very long password; it was a sentence, but not a short sentence, and one that nobody would think to utter except me (including one word that is not a word). For good measure, I also enabled two-factor authentication on my device for my primary email, which is with gmail, in case it was being hacked (though Google usually informs me of unusual sign in activity).
The third time was 9:56pm back in Perth. Notably, I never received a text message from Facebook about the sign-in. I did receive a "Facebook account recovery code" to my email, but nothing to my phone. But, I did press the "If you didn't request a new password, let us know" link in this new email, at which point they locked the account.
The fourth time was 10:18pm. Again, an account recovery code was sent at the time. I don't know how they managed it, to be honest, because I'm pretty sure I couldn't log in at that stage.
So, I have some questions, and I'd be very grateful of anyone can help me out.
- How is this possible? I thought two-factor authentication and signing out of all devices would be a silver bullet. How could they log into Facebook without my phone receiving a text?
- Is it common for someone to be targeted like this? Why would they try four times in one day to break into my account? Or is the Sydney one a separate person, in which case, why would there be two people trying to lock me out of my own account?
- What do you think they could have access to? Specifically, what devices/accounts must they have access to in order to pull off something like this?
- Do I need to worry about them accessing my now locked Facebook account? I'd like to get some sleep soon, as I need to be up in 8 hours.
- Are my devices compromised? Having both my laptop and phone compromised is the only way I can wrap my head around this. Is there any other plausible explanation, before I nuke both of them?
- Basically, what can/should I do?
