Facebook Should Reword Confusing Hack Warning About “State-Sponsored Actors”

When we say “Facebook IS the Internet to many people” we really mean “Many Facebook users don’t fully understand what the Internet is.” Throwing Internet jargon at them will just make them freeze up and ignore you, or get deeply confused.

So imagine what targets of hacking attempts might think when they receive this notification from Facebook:

Please Secure Your Account Now

Jay, we believe your Facebook account and your other online accounts may be the target of attacks from state-sponsored actors. Turning on Login Approvals will help keep others from logging in to your Facebook account. Whenever your account is accessed from a new device or browser, we’ll send a security code to your phone so that only you can log in. We recommend you also take steps to secure the accounts you use on other services. Learn more.

“State-sponsored actors”? That cannot possibly be the clearest way to communicate what’s going on, even while aiming for accuracy and brevity.

  • “Those people from the local community theater are trying to look at my photos?”
  • “Improv comics on financial aid stole my identity?”
  • “Those jerks from the next state over are trying to beat up my Facebook profile? I never trusted those darn Kentuckians.”
  • “Obama!!??!?!?”

I wish this wasn’t going to be some people’s reactions. But after five years writing about Facebook, seeing insane hoaxes passed around, and dealing with the most mind-boggling misconceptions about how it works, I’d bet big that this “warning” will confuse some people right when they need help most.

“Hackers funded by national governments”, “criminals working with other countries to access or steal your private information”, “bad people”. Any of these would be clearer than “state-sponsored actors”. Sure, they could get additional information from the Learn More button, but many won’t be bothered to do so.

The suggestion of what to do is vague as well. “Take steps to secure the accounts you use”. That should probably just spell out that people should change their passwords, and turn on two-factor authentication if available and they know what that means.

Facebook and Google might offer more advanced protections like the Login Approvals that Facebook wisely recommends people activate. That feature works great. Still, getting people to go through the chores of changing their existing passwords is critical. It’s relatively easy, familiar, and works the same on basically every site and app.

At the core of this issue, Facebook is trying to do the right thing. Even if its own secure databases were never hacked, and it did nothing wrong, it’s still putting its reputation on the line to warn people they may have endangered themselves or been targeted by an attack beyond the realm of Facebook. Some people will naturally blame Facebook when it likely wasn’t the social network’s fault. But Facebook is being a good Internet citizen by warning people to the best of its abilities.

It just needs to do it in a more human way. Not only because a badly hacked user might be locked out of Facebook or retreat entirely, hurting the company’s business. But because if these victims are hacked, they’re going to be a lot less likely to want to stay open and connected with any service in the future.