What I wish I knew BEFORE I had my Facebook personal profile hacked, and lost access to all my business assets (for the second time)...
Rightly or wrongly, many small business owners heavily rely on Facebook™ (Meta™) to network, market, advertise and conduct business.
I am one of them.
Or, at least have been one of them…
At the time of writing this I sit here frustrated, just having had my personal Facebook account hacked for the second time in 18 months. Only this time I have been unable to get access to my profile back again to even start to put the problems to rights.
This means that overnight I lost access to all my business and personal assets:
- My personal messenger account
- My Business Manager
- Page
- Pixel
- Catalog
- Groups
And so on….
So.much.history, time, business and personal data compromised! Not to mention so much stress, wasted time, lost income and so on...
The reason that I’m making myself vulnerable to share this with you today, is to hopefully help you protect yourself from it ever happening to you!
As an online business professional, in charge of so much client data, I am very careful with how I manage my data and security, to limit my liability and exposure.
Some of the measures I put in place to protect my passwords are:
- I use a minimum of 20 character long, unique, password manager generated passwords, for every website I use.
- I never ever save passwords in my browser, instead opting to use one single third-party encrypted password manager.
- I use two-factor authentication on everything possible.
- I always make sure that any links I click in my email are from reputable email addresses (there are so many Facebook scam emails out there) before clicking on them.
And yet I still had my personal Facebook account hacked!
So, in this article I'm sharing what I've learnt since the hack, in the hopes that it helps you prevent anything like this happening to you.
Use these links to jump to specific areas in the article that you're interested in:
Here’s what I wish I knew the day before yesterday so that I could secure my Facebook profile faster during the time of the hack, and protect myself better.
(After that I’ll also share what I know about getting a hacked Facebook ads account back.)
1. How to improve the security of your Facebook account, to prevent it being hacked.
We all like to think that a hack won't happen to us. But, it happens to thousands of people everyday.
One of the things I wished I'd known prior to my hack, is that in order to get in touch with Facebook to say you've been hacked, you need access to your Facebook profile.
This is pretty ridiculous, because it gives you no way to contact Facebook if the hackers have taken over your account and you can't get back into your profile!!!
The only way to contact Facebook if you don't have a Facebook profile is to have the contact details of a Facebook representative on the inside. But, this is only likely to happen if, like me, you are an agency, or you are good friends with agency owners.
This is one of the stupidest things about Facebook's customer support "service". It's also why the best way to protect Facebook business assets is to be proactive with your security...
So, here are some things you can do to pro-actively keep your Facebook profile and business assets safe:
a) Make sure you have a unique password that you only use for Facebook
I know that passwords are something that a lot of people struggle with, and as a result many people I know use the same passwords for almost everything.
Please don't do this.
It will make it easy for someone to take over your entire life!
In general you should never:
- Reuse passwords
- Use weak passwords
- Share passwords via text, chat or other methods
- Write all your passwords in an unencrypted notepad or document
We all know this. But many people still do it, because it's convenient and therefore hard to break these habits.
But, trust me, it's much more inconvenient to be hacked!
I recommend that everyone use a password manager to manage their passwords. Then, you just need to remember one password.
I was with another password manager for many years. But, after their poor communication and lack of transparency around their recent data breach, I have moved to NordPass* I actually wish I'd moved years ago - NordPass is much less temperamental and pleasing to use!
PS this is an affiliate link. I will earn a small commission if you buy NordPass through my affiliate link...
Regardless of which password manager you use - please make sure you are following safe password processes to keep yourself and your data safe online.
b) Set up two-step verification on Facebook:
At the time of my first Facebook hack, back in 2021, I thought I was pretty safe from being hacked, because I already had an unique, secure password and two step verification.
Definition:
Two-step verification
Noun
An extra layer of protection to prevent people logging into your account, by requiring new devices to have a “code” used at login. This can either be sent via email, text or you can use a third-party generator such as Google Authentication app.
(In theory) having two-step verification is supposed to make your profile much more secure! In practice, there are still ways for the hackers to bypass it, depending on the type you use (which clearly I'm evidence of).
For example, since my first hack, I learned that it's reasonably easy for hackers to compromise sim cards to bypass text two-step verification codes. So, I no longer use text verification for anything.
Despite this, I believe that it's still worth making sure that you have two-step verification installed on your Facebook profile so that at least you're making their job harder:
Here’s how Facebook two-step verification works and how to set it up if you don’t yet have it.
The one thing you need to be aware of is that once you have setup two-step verification, Facebook will start to store "recognised devices".
This means that these devices will no longer need to have two-step verification codes logged in.
Great and convenient for you!
BUT, if you get hacked, it means it's easy for the hackers to get back in without two-step verification codes. So, make sure you review all the devices on your profile.
(I have included instructions for how to do this in section 3 of this article).
c) Don't share your password with anyone:
Again, it seems obvious, but never give your Facebook password to anyone else. It's easy to forget not to do this. For example, many people give their passwords to assistants for example, so that assistants can post on behalf of them.
If that's something that you would like to do, there are other ways of doing this. Such as using third party apps to post to Facebook on your behalf, and you can give your assistant access to this app.
This way, your business assets on the Facebook platform are more protected. Because even if you trust your assistant, their devices may become susceptible to malware or phishing, making your vulnerable through their access.
Quick notes and action steps:
- Make sure you have a very long, unique Facebook password that you don't use for anything else
- Set up two-step verification
- Check in your two-step verification settings for unrecognised devices (if you're unsure how, see my instructions here)
- Don't share your profile password with anyone
It’s important to know that BOTH times I was hacked I used Facebook’s two step verification facility as a line of defence, and the hackers still got past it.
The first time I used text message for two-step verification. The second time I used Google Authentication App.
When I set up Google Authenticator app several years ago, this was device specific. Which means that your time-based two-step verification codes were only available on your specific device.
I thought that this meant that my two-step verification codes were only on my iPhone (which was beside me while I slept, when this second hack occurred). But, I have since learned that:
in May 2023 Google released an update so that now Google Authentication codes are backed up in the cloud (unless you turn this feature off).
There are pros and cons to this. The main pro of cloud back up is that if your device gets lost, broken or stolen, you have a backup of all your authentication codes so you won't get locked out of everything. Because that was always the major risk with using device-specific Google Authentication.
The downside to cloud back-up is that if, like me, you have an assistant who has access to your inbox, to manage your email, then you should definitely not use this same Google login for your verification codes. Otherwise your assistant (or anyone else with access to your Google account), and anyone who accesses their devices, can have access to all of your two-step verification codes.
This means that even if you store your passwords well, and take all measures not to click on phishing links in emails, if they do not have passwords on their devices, store their passwords wisely, or take care not to click on phishing links, someone can still access your Google account.
If you use the same email address to login to programs and apps, as you use for your Google Authenticator app login, then anyone with this one Google password can take over your life by accessing your gmail inbox and authentication codes.
Here are some steps to avoid making yourself vulnerable if you use Google Authenticator for two-step verification:
- Don't share your Google Password with anyone
- Use a secure, unique, password-generated password for your Google account. I recommend a minimum of 20 characters.
- Only store your passwords somewhere encrypted, (like NordPass password manager).
- Set up two-step verification on your Google account.
- If you need to give an assistant, or anyone else access to your inbox, use a separate Google Account for your Google Authentication two-step verification. This will mean that even if they get your password reset codes, they won't have access to your 2 step verification codes...
3: What to do during an active hack, to re-secure your account and protect yourself.
The first thing to do (especially if you have business manager with an ads account associated with your personal profile or Metapay account) is to act FAST!
Here are the steps I recommend taking immediately, as soon as you discover you’ve been hacked:
Step 1: Call your bank, or login to your banking app and block every single one of your credit and debit cards
The reason this is my first advice, rather than to try to resecure your account first, is that securing your account can take some time. So it’s important to protect yourself financially first.
Most of the time, if you’re a business, hackers are after your ads account. Because within minutes they can setup ads to other businesses and wrack up thousands of dollars in ad spend.
It’s essential to immediately block:
- Any cards that would be linked to your Facebook ads account (including inside PayPal if you use PayPal to pay your adspend bill).
- Any personal cards that you might have linked to “Metapay”, which is Facebook’s in-app way to pay for things that you buy through Facebook.
Doing this immediately will mean that even if the hackers start to wrack up adspend, that money can not be taken from your cards (because trust me - it takes quite some time to get back, and that’s IF you can get back in control of your personal profile).
And it will prevent them from going on a shopping spree using your MetaPay account.
Side note:
As convenient as it is, I do not recommend that people ever use Metapay for this very reason. Because it’s simply not a necessity and it exposes you financially. But, having a card linked to your ads account is unavoidable.
Step 2: Try to regain access to your account as quickly as possible
Now that you’ve protected yourself financially, you want to regain control of your account AS QUICKLY AS POSSIBLE, to limit the damage to your account and the hacker’s ability to change all your contact information.
To do this go to https://facebook.com/hacked or https://facebook.com/login/identify and follow the prompts.
But, before you do, here’s what I recommend:
- Use something like Zoom, Loom or Berrycast to start recording your screen in case you lose access to your account again and can’t remember what you did/didn’t do (because I lost access within a few minutes each time and I really really wish I’d done this)
- Know that you only get limited tries to use your ID to get your account back. So yes, you are racing the clock, but it’s important you read the rest of the steps further down to understand how to protect yourself from the hackers regaining access to your account.
Unfortunately I did not know that you only get limited tries of this, so within an hour I had used my ID to regain access to my profile 3-4 times. This resulted in Facebook removing my ability to use my ID to resecure my account. That gave the hackers more time to change all my personal information and shut down all the other ways I could use to gain access to my account.
Don’t be like me…
Step 3: Once you’re in, take these steps immediately to protect your account from the hackers gaining re-entry:
- Change your password to an extremely long, unique password. Then copy and paste this to your password manager for safe keeping so that you don’t lose or forget it.
- Remove any of the hackers contact information and activity that they’ve setup while they’ve had access to your account. You’ll be prompted to do this as you’re securing your account, so just follow the prompts and delete anything that doesn’t look like it was you.
IMPORTANT: Immediately remove any “recognised devices”
If you have two-factor authentication setup then devices can be set to be “recognized devices”. So, even if you regain access to your account, if you don’t remove the hacker’s recognised devices, they can get straight back in again very quickly.
To fix this problem you have only minutes to rectify the problem!
You want to be on Desktop, then click on your profile in the top right hand corner and go to “Settings and Privacy”
Once there, you need to click settings:
Then, once in your settings you need to click on “see more in accounts centre:”
Once there, you need to click on “password and security” then “two-factor authentication”
Click on your Facebook profile (you may need to re-enter your password again at this point) and then click ‘list of recognised devices”.
Review your recognised devices and remove any that aren’t yours immediately:
4. Navigate to https://business.facebook.com to secure your business manager.
If I had a chance to do things differently and have a do-over of yesterday, here’s what I’d do to protect my business manager:
- Add a trusted person (like a partner, close friend or family member or business associate) to my business manager as a full admin and assign them access to all my assets (including page, pixels, catalog, etc.)It’s also essential that this person has a secure password and two-step verification set up on their account.
- Then either reduce my access to basic, or remove myself as an admin
The reason I’d do this is that if the hackers regain entry they’ll know you’re onto them, and they’ll usually immediately go to the Business Manager to take over your account.
They do this by adding themselves as an admin, then reducing your access to basic level so that you can no longer control any of your assets. They will now have full control of all of your business assets and it’s incredibly time consuming and difficult to get this control back again.
By adding a trusted person, with a secure profile, as an admin then removing yourself or reducing your permissions, you will ensure that if your account is accessed again, they will not be able to go after your business assets. And it’s easy to put back permissions again once your account is secure.
Quick notes and action steps:
- Time is of the essence - make sure you try to get your account back AS SOON as you notice it's been hacked
- Immediately block all cards that are stored in Facebook either in ads manager or Metapay
- Before you try to recover your account, start a screen recording device (if you have one quickly assessible - but don't let this slow you down)
- Change your password
- Remove unrecognised devices
- Remove unrecognised hacker details - particularly two-step verification details
- Consider adding a trusted friend to your business admin and removing yourself, until you're sure your profile is secure (to protect your business assets).
In Summary:
No one likes to get hacked. It feels violating and very stressful.
And, we all like to think it won't happen to us - especially if we follow good online security practices. But, it can happen to anyone, which is why we should not take our online security for granted.
Always follow good password management protocols to keep yourself online. And always make sure that you keep your Facebook profile as protected as possible, to avoid your business assets being compromised.
About the author:
Kat Soper is the Founder and Head Trainer of The Helpful Academy Online Business School.
Kat is passionate about helping start-ups and small businesses succeed and achieve their business goals so that they can achieve the lifestyle they desire (and deserve).