Breaking News
More () »

Local 5 - weareiowa.com | Des Moines Local News & Weather | Des Moines, Iowa

Des Moines woman disconnected from memories after hacker steals Facebook account

Sandi Tollari used Facebook to document her family members' lives for a decade. Now, she's lost it all.

DES MOINES, Iowa — Many of us share our lives on social media apps like Facebook, posting photos and fun memories so friends and family can celebrate our joys from miles away. Rarely do we think of how quickly we can lose those memories, as was the case for Des Moines resident Sandi Tollari.

“[Facebook is] my personal archive of the last ten-plus years of my life,” said Tollari. “I’ve documented my family, our vacations, our trips...I’ve recorded the funny precious things my kids have said along the way.”

Tollari, an 8th-grade teacher at Goodrell Middle School in Des Moines, said her account was hacked on March 31. When she tried to log in, the app prompted her to enter her password. 

After several failed attempts, she entered her phone number in an attempt to reset her password and recover her account. It was then she realized a hacker had apparently attached her phone number to a brand new, blank account. 

All of her photos and videos were gone. Gone were her groups where she saved her favorite recipes. Gone was her ability to connect with her former students with a click.

“I know Facebook is just social media, and sometimes that doesn’t seem like a serious thing,” said Tollari. “But in my life, it’s very serious.”

Brandon Potter, the chief technology officer at ProCircular, a Coralville-based web security company, said it’s all-too-common.

“These attackers will use that [method] to try to get with your friends,” said Potter. “Now they’re able to spider your profile for information to use for nefarious purposes or just to kind of aggregate a pool of data.” 

Potter said even if you don’t have any financial information tied to your account, hackers still want to get their hands on data. They’re also becoming harder to track down. 

Credit: ProCircular.com
ProCircular is a Coralville-based web security company that expanded to Des Moines in May 2020

“Attribution is very hard today,” said Potter. “It’s so easy for someone with a minimal skill set or even a sophisticated skill set to use VPN’s or anonymizing proxies to mask where they’re actually from.”

For this reason, Potter emphasized prevention strategies, such as creating strong, distinct passwords for each account you have, and storing them in secure software, often referred to as a ‘password vault,’ so you don’t have to write them down somewhere. He also recommends using two-factor authentication.

Tollari is especially frustrated that her attempts to recover her account through Facebook’s ‘Trusted Contacts’ method have simply not worked, according to her. She said she never received an email once her information was changed from her actual account like the site says they’ll send. 

Local 5 reached out to the press contact at Facebook, detailing Tollari’s story, and have yet to hear back.

RELATED: 533 million Facebook users' data posted to hacker website

“I feel really disconnected from everybody and everything,” said Tollari. “I feel like that might sound silly, but it’s legitimate for me.”

If your account was hacked and you were successfully able to recover it, we want to hear from you! Email news@weareiowa.com.

ProCircular offers the following tips for account security:

  • Create strong and unique passwords:  Password reuse is a global problem and frequently leads to access to multiple accounts.  It would be best if you used a unique password for every website, and you can make it easier by leveraging a password vault solution.
    • Consider this – using the same password for every account is like using the same key for every lock that protects something valuable.  You hand it out, or it gets lost/stolen, then anyone can have access to all of your secure items with that one key!
  • Enable Multi-Factor or Two-Factor Authentication:  This can help if a hacker guesses your password or obtains it via a phishing attack.  The hacker may have your password, but they will need that second authentication factor, frequently a code sent to a mobile application or a text message to your mobile phone, to complete the sign-in process.
  • Consider signing up for account alerts: Many sites, including social media giants, allow notifications to be sent via text message or email when a new device is registered, or your account is accessed from a new or suspicious location.
    • This could be a good indicator something malicious is happening or someone has gained access to your account.

RELATED: Facebook and Instagram users could soon hide one of social media's biggest pressure points