We suspected recently that one or two of Patrick R. McElhiney's accounts online may have been hacked. It all started when Patrick was sent an e-mail with a link to a duplicate Facebook profile, that was created on Facebook using his email. This was not a spearfishing attack - it was actually a second Facebook account linked to Patrick's company's email, that somehow someone was able to create without verifying Patrick's email. So we suspect that Facebook and potentially Patrick's company e-mail may have been hacked at some time in the past, for an unknown length of time. This isn't a definite assessment, as there have been no other symptoms of hacking, and it may have been possible to do this without using the company's email, such as a vulnerability in Facebook. We were using 2-factor authentication with these accounts already, so if they were hacked, it was a conceded effort. We are using U2F security keys now to login to these and other online resources. There was no indication that there were any weird emails or messages sent from any of the accounts, at least publicly. The U2F security keys help to encrypt the connections when logging in.
As of 3/8/2019, Facebook says that it will take 30 days to delete the duplicate account.