Since March, it feels as though we, like the Egyptians in ancient times, have been suffering through a series of plagues. Instead of locusts, boils, and rivers flowing with blood, we have experienced COVID-19, lockdowns, unemployment, and social unrest. With my hometown of Philadelphia steadily recovering from the riots and looting, and on the verge of reopening after over 100 days of quarantine, I was hopeful the worst was over. But it wasn’t. The number of positive coronavirus tests started creeping up and they announced indoor dining and gym would remain shut for at least another month. Then, the worst thing happened.
My Facebook account got hacked.
I started getting pounded with Facebook alerts as hacker proceeded to lock me out of my account by setting up 2-factor authentication and disconnected my company’s businesses manager, thereby removing access to all of my customers’ Facebook Ad campaigns and my ability to see campaign activity or shut them down. This happened right before my eyes with no way to stop it.
Within an hour, I started to get notifications that they had set up new ad accounts. I reported each one to Facebook in real time. We cancelled our credit cards and rushed to tell clients to do the same.
I immediately reported the hacking to Facebook (and the FBI), but eight days later and at least two dozen attempts begging Facebook to help (four different ways), I’ve not heard one peep from Facebook.
As far as I can tell, the hackers had stolen at least 20K in advertising, but it could be a lot more because we’re still playing whack a mole. (One company’s accounting department dragged its feet and over $10,000 in charges had been made by the time they got around to cancelling it.)
We learned that credit card companies automatically replace numbers of canceled cards with vendors they have relationships with (who knew?), and even if you ask for this service to be removed, it can take up to two days to process. As a result, I started seeing fraudulent charges before I even got the replacement card and had to cancel one credit card a second time within 24 hours. Further, since we had no records of exactly what ad accounts had been set up and which credit cards had been used, a couple of things slipped through the cracks, like the fact that I had just set up a small Facebook campaign to promote a local awards program and agreed put it on my personal credit card and get reimbursed later.
While this has been completely frustrating, there have been some lessons learned. In the hopes that someone will be spared having their Facebook account stolen, I share the following tips below.
- Set up Two-factor authentication (2FA) on all logins. Now. The hacker accessed my Facebook Ads account via my personal Facebook login and then set up 2FA using their own cell phone number, which hijacked my account from me. If I had set up 2FA beforehand, this would have been avoided. I had 2FA on bank accounts and other critical logins, but not my personal Facebook account. I know from experience. Any employee that has access to a paid advertising account needs to have 2FA set up.
- Keep all records of forms of payment used for all advertising accounts. You can use your credit card statements to audit where your credit cards are used, but if you are running more than one Facebook, Google, or other marketing campaign, all you will be able to see is that a change came from a particular vendor. If you lose access to your account, you’ll have no way to know if the funds were used for a particular advertising campaign. Now, we are logging the card used for each account and if the credit card is supplied by us or the client.
- Get billing terms if possible. We have a significant line of credit with Google Ads. We spend a lot on advertising and have enjoyed earning points by keeping credit card profiles in place. It’s been worth reconciling numerous $500 charges. But now, we are migrating all our accounts to the invoice. The points aren’t worth the risk anymore.
- Tighten up your passwords. We all get lazy and reuse the same password or don’t update them as frequently as we should. Use different passwords for all of your important logins and update them every 3 months.
- If you get hacked, request the service that automatically replaces your card number with partner companies to be cancelled and ask that your credit card be put on hold until you activate it. Wait 5 days to activate it. That will prevent charges from happening if the card number is accidentally replaced. You’ll have to manually replace your card information, which is a pain, but it will save you from having to potentially cancel your card a second time. The customer service person may be completely confused by this request, but push for it.
At this point, I’ve lost hope I will ever recover my Facebook account, and I’m somewhat sad I’ll never be able to see the photos that have chronicled my life over the past decade. I will also lose thousands of dollars in revenue as clients have chosen to discontinue using Facebook as a result of this incident (and the Facebook boycott). We have lost countless hours rebuilding all of the campaigns for clients that want to jump back into Facebook, though ironically, we are having troubling adding Facebook Ad account.
But the reality is it could have been a lot worse, and we are in much better shape to avoid this from ever happening again. Please leave a comment if you have other ideas to share with the community to secure your advertising accounts.