> I am concerned that they knew that I used this password on several different sites. How did they know that? I suppose they keep an automated list of passwords that have been hacked on other sites, when those hacked passwords are made public? If so, that much is reasonable.
A clear demonstration of how users don't read error messages, as the screenshot that appears above this paragraph spells out the exact method the author suggests.
FB's security people likely track and have copies of account/password dumps from site breeches.
Sort of like Troy Hunt does with haveibeenpwned.com but for their own internal security measures.
The identity challenge does not matter: you shouldn't have to confirm your identity to protest against the reactivation of an account you intended to close. The point still stands: OP intended to close their account in 2012, and are now being signed up again without their consent.
This happened to me recently, with Facebook. However, Facebook didn't reactivate my account, I was the one who mistakenly clicked on a link on Spotify when I reactivated my account which somehow triggered the reactivation.
I'm going to guess that OP of article had a similar situation; Using another service, an errant click was made that triggered an event on Facebook.
Facebook will do whatever they can to keep your account active. The shutdown process is a pure embodiment of dark patterns, and a single click reactivates the account.
I remember shutting down my account and then recieving some emails a week later, clicked the link wondering why FB was still emailing me, boom account reactivated. Shut it down again, then a couple weeks later I clicked the wrong share link and once again my account was reactivated.
If I was an investor or advertiser, I would be deeply suspicious of Facebook's metrics...
They did require a form of identification -- the user's password. The user was careless, and so that password ended up being compromised. This is exactly the same as any other scenario where a user's password has been compromised -- they need to prove they're the legitimate user, not whoever has the compromised password.
There is NO WAY I'd EVER give facebook or any other random internet service any real identification (that includes phone number).
Forcing someone to provide real identification for a service that didn't require it to sign up in the first place is just ludicrous.
For all intents and purposes my email is the sole identification available for a service like facebook. Further, a passport picture isn't worth squat because there is nothing linking my email to it anyway (and a passport picture can easily be forged or copied).
Yep, been down that road. You indeed have to reactivate your account in order to delete it.
FB's approach here is a great example of a dark pattern. I've known several people who really want to kick the FB habit and deactivated their accounts. But when they accidentally reactivate, the temptation was too great to go back since everything was still there just how they left it.
In practice that's not really a meaningful distinction. For a business that survives by selling ads, pissing off your users is just as bad as pissing off your advertisers; you need both to survive, not just one or the other.
Maybe, but like anything else there will be a calculation performed to determine how much it pisses people off as opposed to how much they might make by having people be suckered into^W^Wrejoin the fold.
It's like Ford in the 70's with the Pinto, trading off the cost of law suits vs. the cost of a recall.
So, yes. I agree with you in spirit, but not all users are as skilled, or upset, by this as others. And some may actually be lured back in.
That has nothing to do with whether you're a paying customer or not though. (As illustrated by your example with Ford, where the people being harmed were clearly "the customer", not "the product".)
I don't understand why this was down-voted, it's a very insightful quote and not the first time I've seen it.
People severely overestimate their own free-will and downplay the role of luck and external forces in their lives.
If free-will was absolute and unlimited, then Facebook wouldn't be able to make any money from advertising.
If you look at Facebook's income statement, you can actually quantify how much free-will Facebook took away from humanity.
Facebook's mission is basically to take free-will out of people and turn it into dollars for corporations.
You may fulfill both roles, customer and product, but I think that would make you a bit of a rarity. They can upset you as a product and support you as a customer at the same time.
Okay that makes sense. I thought it was from the perspective of a John Q. User who has a Facebook account.
In your example though the Ads are the product you're paying for. Not the Facebook account that is purchasing them, though I see how they're inherently linked.
No, you absolutely should have to confirm your identity in this situation.
Otherwise... well, imagine that I close my account and then decide to reopen it. ANYONE IN THE WORLD could block me from reopening it if FB doesn't require identification in the way you suggest.
It may not be Facebook themselves that caused the account reactivation.
I'm was very recently in a similar situation having a Facebook account that was deactivated about 5 years ago (I thought I had deleted it).
I received the exact same account reactivation notification email as in the article and I also started receiving photo post notification emails.
Upon attempting to sign in to my Facebook account to investigate, I was presented with a screen informing me that my account had been locked due to recent suspicious activity. In my case I did recall my password and as such didn't encounter the ID verification process.
I was presented with the details of the most recent login which was shown to be from a Samsung phone and from a Russian IP address. I have never owned a Samsung phone nor have I ever visited Russia.
My girlfriend's Facebook account was also recently accessed in similar suspicious circumstances.
I suspect that account credentials acquired from breaches of non-Facebook services are being used to attempt to access Facebook accounts.
This would be less an issue if Facebook would forthrightly handle account deletion.
As it is now it's simply not possible for a regular person to decide that they do not wish to further participate with any of facebook's services, remove their account and all the data associated with it, and be confident that all of the data collection, analysis, and 3rd party identification/authorization that goes on with active facebook accounts stops when their account removal process is complete.
So no matter what any one individual does in regards to their unwanted facebook account there is always the possibility that something they would really prefer not to happen with it comes to be... like some hacker from who knows where gaining control of it and so adding another key element to their identity fraud dosier collection.
I would suspect a similar circumstance for the author's situation. Facebook does do some weird things to try to resume user engagement, but I've not really seen them re-active accounts on their own. More than likely it was password reuse resulting in a breach.
The Author even considered that the password was checked by some automation against sites like haveibeenpwned, which makes sense to me to some degree for Facebook to be actively checking against, but they seem to dismiss this in favor of a spying option.
I agree that having to submit a government issued ID seems a little incredulous for being able to deactivate the account, but as others have suggested, I'm not really sure how else the author can prove they are who they say they are. It seems that any such approach would be equally egregious to the public eye (i.e., anyone can make a fuss and shut down a facebook account), but certainly there must be some middleground, such as multiple authentications.
A lot of the sanity checks used by companies are pretty unreasonable for most users to remember or pass - Microsoft and Skype, for example, have basically locked me out of my main skype account; their recovery challenge was to name the exact account names of 6 of my contacts as well as the the last two group chats I had been a part of. Since I hadn't used the account in about 2 years, this was really difficult for me, and the account names were even more difficult since people were using handles instead of real names, so the exact formatting was all but forgotten.
Riot Games Inc. had similar methods, asking "what was the first skin you were gifted and who gifted it?" when my friend was trying to recover their hacked account. That was stuff that had occurred years ago, and we had no idea who gifted what and when.
Again, I don't really pretend to have a good solution for these scenarios, but such solutions seem like they're just obstacles for the actual owner instead of neerdowells that overtake accounts.
The author clearly has access to the email account associated with the account. I don't see why they demand identification when they can just send a verification email, like literally every other website. What facebook is doing would make sense for a bank. They're not a bank. I know they think they are super duper important, but they're just another website that has no business demanding anyone's ID.
Can you imagine the chaos once they get hacked and their ID database leaks?
> The author clearly has access to the email account associated with the account. I don't see why they demand identification when they can just send a verification email, like literally every other website.
Having lost a domain with email tied to it before (renewal came up during a long, low-tech vacation) I'm glad they're a little more careful than that.
This is primarily why I'm a little torn about the "just send an auth" - Facebook, whether we like it or not, has wedged itself into a huge number of websites far beyond just the facebook domain. Surrendering control of a facebook account doesn't just let you mess with someone's social profile, it's potentially access to store accounts and much more. Whether or not people should be doing this is sort of irrelevant as the damage is already done and the situation is already entangled in Facebook's federated login.
>For many third-party websites your facebook account is your identity, i.e. they are super duper important.
Correction, for many third party websites a facebook account is /an/ identity. If you closed your facebook account, what are the odds you're going to be using it as your openID login all over the place?
When I was 20 I'd tend to agree with you. Now well into my 30s I don't. I don't remember a ton of stuff anymore you think I would, including signing up for services.
Plus you have to trust the user thinks everything through and associates "I don't want Facebook anymore for its primary purpose" with "I use Facebook for other things too."
I think you underestimate the human ability to forget. Lots of people will decide to close their facebook account without thinking through the consequences (like that they used it to authenticate a dozen places).
Which in turn is just delegated to an email address + password combination. If the user controls that email, they obviously should control the facebook account, and everything else connected to it.
> I suspect that account credentials acquired from breaches of non-Facebook services are being used to attempt to access Facebook accounts.
Given you more or less gave away the idea that you reuse your own passwords, if you haven't already, I suggest you start using a password manager and changing all your passwords to something random.
Possibly. Could we all help a guy by 'report abuse' the hell out of the account so it gets deactivated? That would be wrong - what if he isn't the actual owner? So you see the problem. Maybe fb need to make it easier for him to identify himself? But by means other than actually identifying himself? Well that is hard. He should tell his friends he is no longer in control. That would at least be a start.
TL;DR: Author reuses same password for most websites. Password was leaked. Attackers likely used password to try and login to his old FB account, causing it to reactivite. Facebook has protections which prevent attackers from accessing account based on stolen password alone (no doubt preventing further damage from attack). Author is annoyed by this.
Nice summary, but it downplays the issue. The author has no remedy other than sending a photo ID. Why is an account able to be reactivated using a password known to be compromised? Perhaps Facebook should require an ID _before_ reactivation if the password is compromised, instead of the other way around.
To preface my comment, I don't like the idea of providing government-issued ID either. I'd like to see their privacy policy regarding the storage of the ID and if they collect the info from it.
Having said that, I'm almost glad this measure is in place. Assuming the account was only deactivated and not completely destroyed (and let's be honest, they likely never completely destroy all data on a user) an attacker can very easily assume the identity of that user as well as invade the privacy of their friends who have an account but lock down info to only their connections.
What I'm trying to say is, showing ID seems extreme, but given the amount of power you gain by getting access to someone's Facebook account today, it doesn't seem entirely unreasonable.
Also I don't think he actually deleted his account but deactivated it and mistook that for account deletion. I've deleted my account on numerous occasions, once it's gone, it's gone from the end user perspective (whatever FB actually does on the back-end is not truly promised I assume).
Fairly sure someone is. I haven't been using FB for months and last week received a "messenger sign in code" SMS from FB. (I use LastPass btw with each site their own pw, I highly doubt they need your actual current password to login)
Phone number reuse is also a major pain in this scenario. If your mobile phone number has ever changed, you still likely have the old number registered with many sites. The SMS you received may not have been for your Facebook account, but rather for someone else's account using your new phone number that used to belong to them.
The number of sites that use - sometimes even requiring - SMS as a backup authentication mechanism, even while you use a separate authenticator app, is astounding. Cell phone number recycling is just as bad as email addresses.
I uploaded a picture of my driver license with my finger covering my D.O.B. and address. They responded by deleting my account I was locked out of and did not want online any longer.
In my case they reactivated it for some reason and I had no idea for months until someone told me they saw my Facebook page.
I had just deactivated because I wanted to take a break from all the fake relationships, but I never really hated the company itself.
But now that I know this company just does whatever they want and doesn't care about the contract with their users, I despise them with passion. It's one thing to change privacy policy, but reactivating someone's account without permission when he clearly has deactivated is almost illegal.
I ended up completely deleting my account (that's different from "deactivating". It's actually all gone (hopefully)
I'm sure there are many people like me and OP out there. It's sad that people can't do much about it as individuals even when their privacy is fucked with.
Where did i say I gave someone my password? I said it just got re-activated automatically without me knowing. No one else other than me knows the password. And I never got a notice.
FB doesn't just randomly reactivate accounts... If your account comes back, it was probably compromised. Spammers and scammers look for deactivated accounts because i will be longer until they are discovered...
What would the alternative be? Allow anyone to request that an account is deleted? Facebook needs some form of verification due to the password being breached (and its great that they are checking for that sort of thing)
Additionally, the only info they need is your name, birthday and photo. Anything else can be blocked out. I don't really consider that 'giving them my government issued id'.
The author claims the request for ID is an "invasion of privacy"? Such a claim is absurd. A request for something is not an invasion of privacy and never is. He can simply decline to provide the information - which is the path he took. The ability to take such an action makes it a decision. He just doesn't like that his account is not in his control. I get that. The situation sucks. But guess what - too bad. He never owned his account in the first place. That information belongs to Facebook and is the property of Facebook.
Also, the Facebook page clearly says to block out everything except the photo, name, and birth date. This is information Facebook already has and the photo upload is simply for verification purposes. This makes his claim of privacy invasion even more ridiculous since he already gave them that information years ago.
I am in this situation as well...Facebook does not have my picture or real age. They do have my correct name and I still have the original registration email. I don't want to upload my ID as I can't see how it will do them any good...of course I can't get in to my FB account though ;-)
Pretty obvious your leaked email/password (from another website) was tried against facebook.
And while I agree with not likely to upload photo of our driver's licence/etc.. it's pretty likely this is really just to verify that it's your account to delete (although I'm sure you could photoshop something that passes pretty easily if you were malicious) and it sounds like they remove that proof of identity pretty securely afterwards.
> We aren't aware of any suspicious login activity on your account
So they admit they don't think anything is going on, even. Facebook is just punishing the author because they committed the sin of password reuse. And the punishment for password reuse is apparently demanding ID before allowing the author to do anything with the account that belongs to them. Even though they control the email address associated with the account.
So supposedly OP was allowed to reactivate the account without any hassle at all, but then to actually sign in ID has to be shown? That is even more ridiculous since that just leaves the account in a limbo state for no reason at all. Should have asked for ID prior to reactivating if going down that road.
> So supposedly OP was allowed to reactivate the account without any hassle at all, but then to actually sign in ID has to be shown? That is even more ridiculous
Try to think about it without all that negative mindset. Someone quite obviously obtained the (careless) author's password from a leaked user database of another site. They used it to log on to FB and reactivate the account. That isn't suspicious, because the last login IP address FB had is 5+ years old and having a different one now is not unlikely. Then, the author logged on with his IP address - which was suspicious to FB, because they thought the legitimate owner of the account had recently logged on using a different IP address (perhaps even from a different country). In addition, it took him several attempts to get the password right. Therefore, they demanded some ID.
So their automated systems detected malicious access as legitimate access, and legitimate access as malicious access? And this is somehow working as intended?
The automated system has done "the right thing" and fallen back to manual verification when it detected suspicious activity. They can't request id for every activation or reactivation.
They assume their automated system can catch evil users in the act. It couldn't. It failed it's job and let the attacker do what they wanted while preventing the legitimate user from controlling their account.
So the automated system did more harm than good. It should either be overhauled or disabled.
It did that, in this one particular case. Facebook has what, hundreds of millions of users, maybe billions? No system anybody can come up with can handle every case that every one of those users will have perfectly. They have something that their experience leads them to believe is at least pretty good for most cases. They're not going to change it because it did the wrong thing for one guy.
They don't even know right now that it did the wrong thing. Presuming the root cause is a login from somewhere else from a password DB, all they know is they have 2 logins with the right password from 2 widely separated places. How are they to know which one is the right one? Asking for a real ID sounds like a good start, but the author refuses to provide one. Understandable, I suppose, but how else can he prove that he's the real account owner and not the other guy?
Why not? Deactivation and reactivation is a very rare activity that warrants secondary authorization. A simple confirmation email does the trick most of the time.
Given their scale, Facebook doesn't have to ever delete anyone's account information, since they have enough money and power to keep everything indefinitely. Deleting account information would probably be like deleting money, since that data likely has real value (more so if someone changes their mind about deleting their account) even if it's no longer public.
It's not nuts, it just seems a bit mercenary. But then, Facebook is bigger than many governments now, so it also seems to be working in their favor.
On Facebook, there's a difference between "deleting" and "deactivating" your account. OP did the latter, in which case it stays in the DB but is made invisible to everyone else. All you have to do to make it a normal, visible account again is simply log in. Deleting is a different matter.
There was no deleting option years go, it only came to exists recently and there is no proof that any deleting is actually happening only that outside access is disabled.
I remember an insider interview a while ago explaining that at any time facebook hold several, seven if my memory is correct, copies of every data ever collected on all users and non users. Surveillance capitalism.
Yes, I think the only one who's publicly fighting that is the Austrian Max Schrems. Unfortunately the case is too big for one person. The only chance I see is to make people aware and let Facebook and other companies know that we HATE being treated like sales objects.
I have an email from when I _deleted_ mine (September 2010):
Subject: Account scheduled for deletion
"Hi Mathew, We have received a request to permanently delete your account. Your account has been deactivated from the site and will be permanently deleted within 14 days. If you did not request to permanently delete your account, please login to Facebook to cancel this request: http://www.facebook.com/login.php Thanks,The Facebook Team"
Unfortunately, I don't have the email I received anymore and can't remember what exactly the content of the account deactivation email was. Most probably the same as yours though.
I have the feeling that checking if the account still exists by trying to logon is:
1. not a good check
2. maybe conra-productive because they now maybe assume you are interested in getting back your account.
It said that the email and password was shown to be the same as a compromised account so may well have been activated by a malicious party. Don't reuse accounts and don't consider Facebook to be unimportant even if you don't like it.
I see another problem: The OP thought he deleted his account, but actually deactivated it. I've deleted my account before, even in the last few years and it requires a specific link from the FAQ, otherwise you only get a deactivation link, it takes about 2 weeks, if you login after the 2 weeks, you will not get an account back. If years passed and you can still somehow get a response from FB about your account, you didn't delete your account, you deactivated it.
Edit:
It seems this is common enough to be in the FAQ as well:
Yet another situation that proves it's not reasonable to let users keep their account information/data for an extended period of time when they don't use the service.
FB should provide backup/restore functionality for account data and delete accounts after N months of inactivity. They should require e-mail confirmation for logins after N weeks of inactivity and any suspicious logins. The author of the article is lucky that he still owns his geocities.com e-mail address, many such old domains have been sold and re-used.
Inactive/Dead accounts are useful for bragging with account numbers, but for users they're just a risk and burden.
This is concerning since I had assumed the data contained in 'inactive' accounts would eventually be deleted. I closed my own account in 2011 because I found no benefit to having one. Given how difficult it was to close my account the first time around, I'm now expecting to receive a similar email. Why would they hold onto all this data for years after the account was closed? They're not going to be able to glean anything else from it.
If necessary, I'll pull a Data Protection Act request on these goons.
You certainly fooled yourself in assuming that, it is, at least I thought it was, common knowledge that facebook does not delete a single thing ever they just disable it for user access.
I seems to remember this was exposed a few years back with the introduction of a "past memories" features or something that mistakenly took some of the supposedly deleted content and put it in the spotlight.
They hold onto this data because:
1. You gave them full legal rights to do so by agreeing to their ToS and giving them full ownership of everything ever collected on you by facebook.
2. Exploiting user data is how the make money. (well that and investor story time).
> ... common knowledge that facebook does not delete a single thing ever they just disable it for user access.
That is correct, I remember there even was a presentation video from one of FBs engineers describing exactly that, also that they intended to burn that data to long time storage archival discs (probably already are). I have no time to look for that video but if someone knows what it was called please link to it, it should be somewhere on the youtubes.
A few egregious interracial mano-a-mano "mature" midget porn pics sprinkled with a collage of pre-teen bikini pics (A 12 line python script). And a pre-cooked rant from some Nazi site about negros and bitches and negro bitches was all it took to get me out.
Some concern from family and friends but a "Yea, got hacked, be careful out there" took care of that.
Deactivate is different from delete. They knowingly only show deactivate which keeps the data, the link for delete is not immediately accessible from their site. https://www.facebook.com/help/delete_account
Let's call a spade a spade -- these people are parasites. After reading the linked article I ran a generic inquiry and discovered that "Paul Lutus
is on Facebook[1]." False and annoying. I suspect this is how Facebook can claim to have so many followers. I'm sure there are many dead people who are "on Facebook" too and, by virtue of being dead, less likely to object.
To echo others in this thread, the same happened to me. The account was deactivated in 2009, and I used a password that I know to have been compromised in hacks of other services.
After several weeks, I got an email yesterday telling me that due to no further suspicious activity, they unlocked the account without Photo ID verification. I went in and scheduled the account for deletion.
No I think you've missed the point, the _account_ is unimportant: "I do not want an account on Facebook. I have been happy to live without Facebook for the last 5 years."
What is _important_ is the fact that it was activated without any user input, and can't be deactivated without handing over quite substantial trust.
Decent or not is irrelevant to the triggering of the breached credentials. You could have the best possible password ever, once you give it to a service that stores it plain text it's game over.
The actual password issue here is password reuse and what should have been done is not having a facebook account in the first place. Is it even possible to get out of facebook once your data is in there ?
The user being the account owner, we do know (provided we trust him) that it was not him so yes it was reactivated without any user input.
From what I gather it could be that email/password was used on another service that got breached and either a bot or someone trying all those breached credentials on facebook caused the reactivation, or a relative that knew the user/pass or facebook trying to collect more personal data on old inactive accounts and inadvertently getting exposed once again.
Ha, Facebook UI without logging in is the stupidest. Help center behind a login, emails that can't be unsubscribed from from the email without login, stupid popup that blocks the view every now and then if you're logged out...
I'm tempted to try logging in if they really deleted my account after I requested it.
I don't hold my breath either. I marked all content as removed, before deleting the account, and removed all advertising topics, and yet after a month of not using FB, the advertising topics were re-generated as if the old content was there. Also a few posts that I marked as deleted popped back in and were showing again.
But nevertheless, they advertise that they actually remove the content, when you delete the account (saying it can take a few months before they prune all the backups from it), so it would be fraud if they did not. Also EU, there's a right to delete.
Not helpful in OP case but for those in need of how deleting accounts on various services, accountkiller[1] will provide the info you need.
About facebook account deletion:
Publicly visible text/images often aren't properly deleted
even when you succeed in deleting an account. Try editing
or deleting them manually before deleting the account
itself. If you're unsure what happens to your tracks: this
can be found mostly in the Terms of Service/Privacy
Policy; otherwise you can always contact Facebook and ask
personally. By the way, deletion requests don't
necessarily mean your data will actually be deleted (e.g.
due to legal obligations).
Does anybody have conversion stats for the facebook signup process? What's the dropoff rate when it wants to scan your driver's license? Do they do this in every country? Do they do it on mobile?
I'm more disturbed by 5 year data retention than the crappy verification step.
The request for ID is certainly not standard across all accounts and situations. My guess: the account reactivation came from a different location than OP's home country/state, or OP themselves moved states/countries in the past 5 years. The account being reactivated from a different location would certainly be cause for alarm. This would be a reasonable check in my book, as it is the best way to fight against compromised credentials - you know, the exact situation OP finds themselves in for having reused their Facebook password on other (previously compromised?) sites.
What the OP doesn't seem to understand is that the attacker may have been able to technically "reactivate" the account, but they also probably can't actually gain access until they provide ID. This ID requirement has likely saved the OP's account from actually falling into the attacker's eager hands.
OP is complaining about the privacy implications of a compromised reactivation by an attacker, and sour they are being asked to prove that they are not the attacker. Take off the tin foil hat, stop crying foul, be grateful Facebook seems to have saved your password-reusing ass, send them the ID, and then delete the account instead of deactivating it.
Similarly (arguably worse) someone can create a drop box account using your email address and there is no verification nor mechanism to say that it is not yours. Their support will repeatedly bug you to use an automated system, and of course the automated system cannot fathom that you do not have or want an account. I think it took a couple of weeks for them to actually delete it. Alternatively you could try the lost password flow, log in and delete all the files belonging to the poor sap that made a typo. All the while, you hope none of those files were intended for you.
I used Facebook briefly years ago as part of a job requirement, but the account sat stagnant and unused for a very long time. Recently I thought I would login just to see if the account was still there, and found that FB had deactivated my account.
The only path to reactivate the account is to send them my government issued ID.
In my case it doesn't matter because I don't want to reactivate the account anyways, but if things were different I would be absolutely horrified at the thought of sending them my driver's license or passport photo.
I am so glad I've deleted my Facebook account a long time ago. A request to provide a photo ID for a social network platform just shocks me. Welcome to the Orwellian world, dear people...
Facebook has credit cards on file, it is not surprising to me you need to confirm your identity on a platform that takes payment information. In software products, it is safe to assume that they'll be dealing with payments of some sort, so it is best to not even sign up for services, also since your real identity is what advertisers want to sell to which keeps the product free.
Seems like an interesting way for law enforcement to get a picture of someone they don't have on record :-) (ok that is pretty paranoid).
I would probably hit them up with a 'Right to be Forgotten' cease and desist letter demanding facebook remove everything they have associated with the account.
I'm in the same situation, I didn't use my account several years. Than I tried to login, and account is locked. I was asked to send my ID. I did it. Now I'm waiting fifth month to unlock it and nothing happens. They have my ID, I don't have account access.
And yes it should, and expendable passwords because the world is filled with morons who "encrypt" your password with rot13 or one round of unsalted md5 (but your better follow their "strong password rules")
Thanks for the correction. You know, I was once taught, quite poorly, that the apostrophe is used for possession, and when I'm not mindful about it, my brain makes this jump that when referring to something that "belongs" to whatever "it" refers to, that it therefore possesses this thing and therefore should have an apostrophe.
If I think about writing, I write its, but when I'm thinking what I want to write and my fingers just type it, it is like a layer of execution intercepts that thought and correct it.
I guess that's just the brain and one of its features, it's nuts.
Getting back to the subject, this is one of the biggest issues, idiots who hold our data and yet don't add salts to their encryption because salt is bad for you.
1) your acount shouldn't have been reactivated
2) but If you could get an account deaactivated without proving who you are, then that could cause a lot of issues.
A clear demonstration of how users don't read error messages, as the screenshot that appears above this paragraph spells out the exact method the author suggests.