Meta has kept secret a disturbing flaw in its systems by which cybercriminals exploit Instagram accounts for illegal activities, including running up charges on stolen credit cards and selling nonexistent products. The criminals exploit a weakness in Meta security by creating and linking fraudulent Instagram accounts to randomly selected legitimate Facebook profiles. This enables the hackers to mostly bypass Meta’s commerce eligibility criteria, the supposed safeguard before verifying an account for sales activities. The hackers then abuse their new accounts until Meta detects the fraud and shuts them down. However, by that time, the legitimate Facebook profiles linked to these hacked Instagram accounts are suspended or deleted in error.

The result is that tens of thousands of Facebook users have unjustly had their accounts permanently deleted.

What has been Meta’s response to this security issue?

It has refused to address it.

How do I know all this? I came to this story by a bit of personal serendipity. My wife,

That was the first time Trisha had ever heard of an Instagram account with the username lijaakter533. She has her own Instagram accounts, a personal one under her own name, and another for our nonprofit, Antisemitism Watch. Both of those accounts were still operating.

It was only when Trisha tried correcting her Facebook suspension that she immediately discovered that Meta had created a classic “Catch 22” that made it impossible to fix. Meta’s online help sends users in an endless circle of dead ends. And in this case, it only allowed an appeal to be made by the Instagram account that had violated its rules. However, since that Instagram account was created by some unknown cybercriminal, it was impossible for Trisha to access it to appeal her account suspension. Only the hacker knew that account's username and password.

No matter what Trisha tried, Meta showed no interest in even acknowledging the problem, much less correcting it. Meta ignored every entreaty for a workaround. After signing up for Meta Verified on her personal Instagram account, chat representatives promised to investigate, but Trisha never heard back. She paid for Meta Pro Team support which also proved to be useless. Frustrated at Meta’s total stonewalling and unresponsiveness, Trisha filed a formal consumer complaint to the California Attorney General’s office.

By this point, I got involved to determine whether Trisha’s experience was an isolated incident or part of a larger Meta problem. What I discovered was startling.

I first came across FBDisabledMe, a subreddit with nearly 20,000 members many of whom had experienced the same problem: their Facebook accounts were first suspended and then ultimately deleted after hackers linked fraudulent Instagram accounts to their profiles. As with Trisha, those users had no way to appeal because only the hacker knew how to access the compromised Instagram account.

After discovering FBDisabledMe, I reached out to others who would have more information. It included litigators who had fought Meta on other matters and had masses of discovery from the company, as well whistleblowers who had testified publicly about problems inside the company. Eventually, I was put in touch with a veteran software engineer who had personal knowledge of the problem that Trisha had stumbled into.

According to that engineer, the 20,000 users on FBDisabledMe represented just a fraction of those affected. The real number of Facebook users who had fallen victim to the scam could be as high as 250,000. Meta’s security logs indicated that many of the affected Instagram accounts were linked to IP addresses from countries like Romania, Latvia, Belarus, and Moldova.

Has Meta shared this information with Interpol or other law enforcement agencies? It is unclear since Meta refuses any public comment.

Over the past week, I reached out several times to Meta’s press office for an official statement but received no response.

Meta faces daily cybersecurity challenges. While it spends a lot of money on security, digital crooks are constantly probing to find weaknesses. It is troubling that Facebook will not acknowledge that this easily exploited vulnerability is leaving a trail of innocent victims who lose forever their accounts.

In 2019, the FTC imposed a historic $5 billion penalty on Facebook (now Meta) and ordered the company to implement sweeping privacy requirements designed to boost transparency and accountability.

What makes this issue even more egregious is Mark Zuckerberg’s apparent indifference. With over three billion users, he likely views the loss of 250,000 accounts as a minor inconvenience. Users who lose their accounts might simply create new ones, while others vent their frustrations on a subreddit that gets little attention from the tech or business press.

There’s also the matter of Meta’s dismal approach to customer service. Last month, a woman named Tova Ridgway in Northern California, was so desperate to regain access to her hacked Facebook account that she drove to Meta’s headquarters.

"They're like, 'I'm sorry, I can't do anything about this,” she told a local ABC affiliate.

“Are you telling me you don't have anyone working for hacked pages?”

“This happens every day,” a Facebook representative told her. “No, I'm sorry, there isn't.’”

Ridgway found a solution through Meta Verified, a $15 a month subscription, something that did not work for Trisha. While that might work for some, it is an unjustified cost for users whose accounts were compromised due to Meta’s security flaws. Zuckerberg himself said in a blog post it would be too expensive for the company to recover and restore all hacked accounts. For a company that reported $39 billion in net profit last year, that justification rings hollow.

Meta could and should be doing more to protect its users. The simplest solution for Trisha is restoring her Facebook account before it’s permanently deleted. But this goes far beyond her case. Tens of thousands of users like her—some of whom have lost years of business contacts, personal photos, and memories—are suffering because of Meta’s failure to address a critical security flaw.

The most important step is for Meta to patch the security vulnerability that allows cybercriminals to manipulate Instagram accounts and cause collateral damage to Facebook users. Until that happens, it’s clear that Meta’s dismissive response to the growing problem of hacked accounts is not only inadequate but arrogant. That is never good for business in the long run.