I Handed Over My Facebook Password to an Indonesian Hacker. Now We’re Friends.

By
Image

It is late on a Tuesday night, and I am watching as a group of Indonesian millennials discuss whether I really exist.

The messages pop up on a large, private Indonesian Facebook group that I am part of called ˚•☆☺☆•˚Kumpulan Akun Unik˚•☆☺☆•˚. Ignoring the flare, that’s Indonesian for the Unique Account Group. It starts when one participant notices that I am a member, screenshots my basic profile page, and says, roughly, There’s a blue-checkmark account that’s in the group.

That blue checkmark comes courtesy of Facebook and verifies that I am who I say I am. In the United States, thousands of people have them — everyone from actual celebrities to obscure journalists. But in Indonesia, they’re an extremely rare commodity, making my account something of a marvel to the people in Kumpulan Akun Unik.

This kicks off a gigantic thread. The account belongs to a foreigner, someone remarks. But the foreigner is speaking Indonesian? Many chime in to say, This group is getting awesome, or some variation thereof. Keep up the good work everyone. There are tons of emoji and a number of inside jokes. It must be the result of cloning, one person says, referring to the practice of lifting photos and personal details from one account and setting up a new “clone” account, often used for spam. But it cannot be: The account dates from 2004. A Facebook account from 2004 is really rare, another says. There’s some discussion of selling it.

And at some point, I chime in. Well, sort of. I watch myself respond in fluent Indonesian — not just fluent Indonesian, but the kind of winking, slang-filled, punctuation-light, emoji- and abbreviation-heavy Indonesian that these people are using. I am real, I protest. I got this account by asking for it nicely I am not going to do anything to tarnish the name of the person who really owns it because I have a good relationship with the person like close friends.

The person who really owns the account is me, Annie Lowrey. But the person using it as a kind of postmodern sock puppet is a 27-year-old Indonesian man named Ferdi. As for our relationship status, well, “It’s Complicated.” But this is the shaggy-dog story of the friendship that we developed between hacker and hacked, half a world away.

The saga started as so many online sagas start: with a foreboding email notification. I woke up early on a Saturday morning to a half-dozen emails informing me that someone had broken into my Facebook account. To do this, the intruder had guessed the email address I use to log in and requested to reset my Facebook password. That sent a notification to the email address, one I happen to use only to corral email from various services and businesses. He guessed the password to the email account — it was stupidly easy to do so, mea culpa. From there, he changed the Facebook password and took the account over as his own. (Take this as yet another reminder to trigger two-step on all of your accounts, people.)

It was not a slash-and-burn invasion, mercifully. He could have spammed my friends, soaked up email addresses and phone numbers, dug into my private messages, deleted my photographs, or broadcast any manner of nonsense out to my friends and the public. Instead, he changed my profile pic and my job title to “Presiden of Facebook” [sic]. He switched the name on my public and private pages to Ferdi Ferdiansyah. He changed the language setting to Indonesian. Lastly, he joined two closed groups, both devoted to the worship and barter of Facebook accounts.

It did not take long for me to wrench the account back and set up two-factor authentication. Ferdi was locked out. But I had his email address, and I was curious: Why hack a Facebook account in the first place? More to the point, why hack the Facebook account of an American journalist he had presumably never heard of — one with absolutely no public profile in Indonesia? What could he possibly get out of it? A bunch of photos of me nursing a Solo cup in college? The ability to spam my friends, none of whom were of any real relevance to him?

I wanted answers to those questions, so I wrote him a note in English and Google-translated Indonesian saying that I was a journalist. I told him that I had no interest in getting him in trouble, and I just wanted to talk. I did not hear anything back.

For the next few weeks, I remained part of those two private Facebook groups and periodically checked in to see what the Indonesian youths were chatting about. There was a fair amount about cloning and about other schemes to make money online. In social-media-mad Indonesia, I learned, it is common for Twitter and Facebook accounts with a large number of followers to put up what we would think of as sponsored posts — they are never marked as such — for money. It’s also common to spoof and trade accounts.

I never would have known what my hacker wanted, or whether my account was worth anything in Southeast Asia, but for an email from Ferdi that arrived out of nowhere one morning. “Kembalikan akun facebook saya .yang kamu ambil lagi,” it said. “Itu saya dapat beli dari seseorang dan perlu anda tahu saya sudah rugi Terimakasih.”

Google Translate was about as helpful as it could be: He was talking about my Facebook account, about how he wanted it back, about how he could buy it, maybe? I emailed back to confirm that he was asking for the Facebook account. Why? What could he possibly want with it? “I will use either as good as possible .. because I love it,” he responded in English. “I love facebook account output in 2004.”

Amplifying the bizarre nature of the exchange — my hacker was requesting that I turn my account back over to him? — was the fact that he was emailing from davewaigel@gmail.com. His name showed up in my inbox as “Dave Weigel.” That’s the name of, well, Dave Weigel, a political journalist and a longtime friend of mine. I emailed real-Dave, half thinking he might have gotten hacked too: “Do you have any interaction with the owner of “davewaigel@gmail.com’.” He replied: “Haha, no!”

Image

The mysteries were compounding, but the path to solving them had become clear, too. Ferdi/Dave and I were talking, and we soon struck a pact. I’d loan him my Facebook account if he would answer my questions about how and why he hacked me. To help us understand one another — the language barrier was significant — I sought the help of Christine Megariotis, a nonprofit consultant who had lived in Indonesia for years. She ended up assisting me as a cultural interpreter as much as a translator. The three of us ended up trading more than 100 emails and hundreds more WhatsApp messages. And while I got all my questions answered, I’m not sure that I really got them answered.

Question: Why was Ferdi using the name “Dave Waigel”? How did he know Dave, and how did he know that Dave and I were friends?

Answer: “The name of my brother david waigel alamyah,” he emailed me. Later he clarified, “about the name dave Waigel was the name of my sister in Indonesia.” And once more, with Christine, he clarified that he had a “kakak” — a term that means an older sibling, male or female, also used with close friends — named David Ngigel. That’s as good an answer as we got.

Question Two: How did he find me and my accounts?

Answer: He didn’t. According to Ferdi, he actually purchased my account from a “friend” of his: “I’ve told you not me who took over your account the other day …. I get an account from someone you my friend and it was not free … I bought.” The friend who sold it to him was a guy from Bandung, a hip student city. The price was a package of Sampoerna clove cigarettes. (I now know just how much my account is worth on the free market, not taking into account that you cannot even buy cloves in the United States anymore. Thanks, Obama.)

Some additional evidence here: The email address that the hacker used includes the name “Ferdi” in it, leading me to believe that he was the hacker, whether he wanted to admit it or not. Ferdi had an explanation for that: “yes it is my email. . But he who asked me the same .. he told me if I. had a blank email .. I replied no .. but I do not ask for what it is.” The Facebook and Gmail IP address logs back him up: Someone using a Firefox desktop browser changed the password and the email on the account, and someone using a separate mobile browser entered the Facebook account a few minutes later. Ferdi later told me he only uses a cell phone to access the internet.

Question: Could we talk to that friend?

Answer: No, Ferdi called him to see if we could, but his number had changed. There’s some cultural context that might be at work here, Christine noted: Ferdi called the hacker a “friend,” but Indonesians have a catholic sense of friendship and tend to use the term for acquaintances too.

Question: Who was Ferdi, and had he ever done this before?

Answer: An Indonesian man who lives with his family outside of Jakarta. A lover of Green Day and Avril Lavigne, a player of guitar, bass, and drums, and an obsessive about the hyperpopular Indonesian band NOAH. A man who could not afford university. A clerk in a store that sells cooking utensils, work he describes as simple and workaday. “It’s good to make honest money,” he said, “Honest people always have a lot of friends.” And a friend: He loves chatting with his buddies on Facebook, and uses a popular app called Autolike, too.

He had never done this before, he added.

Question: And what did he want with the account?

Answer: He loved it. He liked it. I pressed him on that: You love it, you like it, but what do you want to do with it? Why do you love a random Facebook account? “Email Password quickly handed over to me and I will use as much as you.” Messages like that kept coming. “I promise not to be abused by the bad things but I would use with a very disciplined … I will not disappoint you and I will not bring disaster … of the badly maintained and you prefer to use Twitter would be nice if I use facebook account ….. oia photograph propyl why do not you change the inexplicable.”

Christine drilled down on his answers a little bit. He did just like the account, he insisted. He liked that it was from 2004, the year of Facebook’s birth. He liked the blue check, showing that I was a verified person on Facebook. It “seems really special and valuable to him,” she guessed. “Like your account is akin to a prized beanie baby.”

He did at least try to answer all my questions, also chatting about waking up before dawn for morning prayers, about attending his friend’s wedding, about mangoes in Indonesia, about people who waste their money playing online games. He sent us photographs of himself, including one of his federal identification so that we could see that he was really real. And he fretted — nudging for the password, asking what was taking so long, sending multiple messages a day just to check in, letting us know that he could not sleep because he could not stop thinking about the Facebook account. He tired of my many questions, at one point telling Christine that I was nagging him.

So, my questions only half-answered and my curiosity still fully piqued, I turned the account back over. Who knows whether it was a translation error, or a misunderstanding, or willfulness, but Ferdi took the account back and promptly shut me out for a bit. Even so, he did nothing more than he had before — messing with my name and titles, chatting online, disrupting little, amusing him and me much. I followed him online as he darted in and out of groups, answering questions, looking at various accounts.

Image

In time, I locked him back out. But he had one final question for me: Perhaps I could get him that blue checkmark, too? I’ve asked Facebook about it, but I fear I cannot — it’s Facebook that decides who gets them. So for now, Ferdi is Ferdi, and I am Annie. Sort of. My name on Facebook is currently “Ferdi Ferdiansyah-gantengz,” meaning something like “Handsome Ferdi Ferdiansyah.” Facebook only allows one name change per 60-day period, “to help make sure everyone uses their authentic name.” 

So for the next few weeks, you’ll have to call me Ferdi.