Three weeks ago, someone hacked into our Facebook ad account.
They spent $4,006.87 in 46 minutes.
We’re not saying this to be alarmist or for the shock value. Instead, we just want to get your attention and make sure you understand why this is important.
“Security” isn’t a sexy marketing topic—especially compared to things like landing pages, sales videos, ad hooks, and so on.
But security is still a vital part of any business.
Because, as we had to learn the hard way, the consequences of a single security slip can be costly.
We didn’t actually have to pay for the $4,000+ the hacker racked up in ad spend…but the opportunity cost of having our ads & campaigns deleted and having to start over from scratch is more in the $40,000-$50,000 range.
That’s an expensive lesson.
So, yeah. Security matters.
Luckily, there are a lot of fairly easy things you can do to increase your security right now, today. We’ll share our top 7 tips to protect your Facebook ad account soon.
But first, it might be insightful to read about how our account got hacked, how we found out about it, and what we did to regain control.
Here’s How It Happened (AKA, A Dramatic Day in the Smart Marketer Office)
As you may or may not know, our Facebook ad account got shut down this past April.
It wasn’t our fault, but that’s another story. Either way, we rolled with the punches and started a brand-new account.
Things were going well for a month or so, until we woke up one day and realized there were NO ADS in our account.
We usually have ~10 campaigns running, so this was definitely not right.
Initially, we thought it was a glitch. Facebook has its fair share of tech problems, after all, so we waited and hoped our ads would reappear soon.
Shortly after that, we logged back in and saw a bunch of NEW campaigns.
At first, we thought maybe Facebook had switched our account with Carrie Underwood’s (whose picture was in the ads). But after just a few moments of browsing, we realized something was wrong.
These ads were spammy.
And we’ve gotta say: they were t-e-r-r-i-b-l-e.
You might think that anyone smart enough to hack into Facebook accounts would have at least some idea how to create a semi-decent campaign…right?
Nope. Not even close.
Not only was the copy spammy, but the targeting was incredibly broad—it just targeted women—and the ads felt super skeezy. (They all directed people to an affiliate weight-loss offer.)
We didn’t have time to stop and make fun, though. Because all of a sudden these campaigns (about 20 of them) each had a budget of $143,300/day.
And then they were ENABLED.
Now, thanks to spending limits there’s no way they were going to be able to spend roughly $2.8 million/day. But because they set the daily budget so high, Facebook’s reaction was to start spending money FAST.
Our quick-thinking CMO, John Grimshaw, immediately paused the campaigns while we tried to figure out how to stop this. But 3 minutes later, the campaigns were enabled again.
So there ensued a “click war” between John pausing the accounts, and the person who hacked into our account turning them back on.
Soon we were able to learn, by checking the activity history in one of the ad sets, whose account it was that kept re-enabling the campaigns:
We had found our compromised account.
(Turns out it was one of our team members who had recently been given access to the account in order to fix a tracking issue. Someone hacked into their account, and that’s how they got access to our Ads Manager.)
Ezra immediately booted that person’s access, and we had control once again.
Phew.
The Aftermath
We had put out the immediate fire, but we still had some serious repercussions to deal with:
- ~$4,006 in fraudulent ad spend
- All our campaigns were deleted
- Our new account got shut down
We reached out to Facebook and let them know what happened. They told us to cancel the charges with our card, and to leave the campaigns in our account so they could confirm what had happened.
(At this writing, we’re still in a review period.)
But the real cost came from the fact that we couldn’t run our ads for another 1-2 weeks, and even then we had to start over and re-optimize everything from scratch again.
The opportunity cost was probably closer to $40,000-$50,000.
It was quite the stressful day for us at Smart Marketer. Hopefully, by sharing our story, we can help you avoid ever having to go through a similar experience.
But first, let’s talk about how to fix things if your account DOES get hacked.
What To Do If Your Facebook Ad Account Gets Hacked
First things first: if your account ever gets hacked, you need to stop the bleeding by regaining control over your account. Here are the most important things you need to do immediately.
Step 1: Figure Out Whose Account Was Hacked
Remember that you can only access Facebook ad accounts through your personal Facebook account. Which means that if someone has hacked into your ad account, the only way they could have done it is by hacking the personal account of someone with access to your account.
But before you can boot the hacker, you need to figure out which account is compromised.
In our case, we were able to figure this out by checking the activity history in one of the ad sets, which showed the name of the person whose account was making the changes.
To find this, click the clock icon on the right-hand side of your Ads Manager:
Set the date range and you’ll see a list of all the changes made, along with who made them:
If you spot an account that’s creating fake ads, it should be pretty obvious which account is the problem.
Another way to find out if someone’s hacked into your account is to go to your personal settings page, then click “Security and Login.” There’s a section that shows you the devices and locations where you’ve recently logged in:
If you see a login from somewhere you don’t recognize, that probably means you’ve been hacked.
It’s probably a good idea to have everyone on your team check this page ASAP.
Step 2: Remove the Hacked Account
As quickly as possible, you want to remove access for the hacked account. Do that by going to your business settings, clicking on “People,” and clicking the trash can next to your ad account to remove their access:
This should be enough to put out the immediate fire of actually having a hacker in your account.
Step 3: Secure Your Account
Finally, you (or whoever’s account got hacked) will need to secure your account and kick that hacker out for good.
Facebook has a process for this. To find it, login and search for “hacked.” At the top of the results you should see an option to Secure Your Account on Facebook.
That will take you to this page, where Facebook will ask a few questions to help you fix the problem.
Follow the prompts to secure your account and boot out the hacker.
If for some reason you aren’t able to log in to your own account (if the hacker changed your password, for example), you can still secure your account by going to this page:
https://www.facebook.com/hacked/
Step 4: Tell Facebook What Happened
Depending on your situation, you might be able to skip this step. In our case, because the hacker managed to spend about $4,000 before we regained control, we had to tell Facebook to avoid paying those charges.
Unfortunately, getting in touch with someone at Facebook can be notoriously tricky. If you have a friend or an account rep, reach out to that person. Otherwise, try going to this page:
https://www.facebook.com/business/help
Scroll down and look for the contact option:
If you don’t see that contact option, the support team might be too busy. Try coming back later.
When you do get in touch with a Facebook representative, tell them what happened. In our case, they wanted us to leave the campaigns in our account so they could verify our claims. So if your hacker created new ads, don’t delete them just yet.
7 Steps to Protect Your Facebook Account from Getting Hacked
At this point, you should have been able to regain control of your account. And hopefully, Facebook has reversed any fraudulent charges.
But how do you stop this kind of thing from happening again?
Sadly, there’s no magical tool that can make you 100% safe. But there are some security measures you can take to protect yourself.
Step 1: Understand How Hackers Break Into Accounts
If knowing is half the battle (cue the G.I. Joe theme song), then it will pay to gain a basic understanding of how hackers break into Facebook accounts in the first place.
Here are some of the most common tricks we’ve seen hackers use:
Phishing scams.
At some point you’ve probably gotten a spammy email claiming to be from Facebook, Amazon, Paypal, or some other official site. These emails will direct you to a website that LOOKS like the real thing, but is in fact a fake version designed to steal your login credentials.
Email attachments.
Another variation on this is an email with an attachment containing an “invoice” for a purchase you never made. As soon as you open the file, it will execute some kind of malware designed to steal your information.
The take-home point for both of these hacks is to be suspicious of any email that looks even remotely fishy. Check the ‘from’ address to see if it’s really from who it says it’s from.
Data breaches.
Do you use the same email and password for Facebook that you use everywhere else? If so, it’s possible that your login was hacked elsewhere and is now up for grabs on the darknet.
Once a hacker gets hold of your information, they have tools that will automatically test email/password combinations looking for valid logins to other websites (like Facebook).
You may want to use one of these services to be alerted if and when your email comes up in a data breach:
https://breachalarm.com
https://haveibeenpwned.com/
Step 2: Up Your Password Game
Security 101: have a good password. It’s simple, but important.
You also should CHANGE that password intermittently.
And as you just learned, hackers can steal your information from less secure sites and use that information to break into more secure sites (like social media, email, even bank accounts). That’s why you should also AVOID using the same password for multiple websites.
Step 3: Remove Any Admins Who Don’t Need Access
This is just good security hygiene: don’t give access to people who don’t actually need it. The more people who have access to your account, the more possible places where you can get hacked.
And if you need to add someone temporarily, make sure to REMOVE them when they’re no longer needed. This will help minimize unwanted access to your account.
If we’d taken just this one precaution, it would have prevented the whole fiasco from happening in the first place. ?
Step 4: Keep an Eye on Your Apps
Just like users, apps or integrations are another potential entry-point for hackers. And just like users, this is an area where you want to pay attention and avoid giving access to apps or integrations you don’t need.
To review your apps, just click “Apps” in your Business Settings:
Step 5: Turn on Two-Factor Authentication
Turning on two-factor authentication is one of the easiest and most effective things you can do to protect your personal account from unwanted access. Because with this setting turned on, even if a hacker manages to steal your login information, they still can’t get access to your account without also having your phone.
Word on the street is that Facebook may be making two-factor authentication mandatory. But you’ll do well to stay ahead of the curve and enable this feature right now.
Here’s how to do it—and remember, this is done in your personal Facebook account (not your business manager):
- Click the menu button in the upper-right
- Click “Settings & Privacy”
- Click “Settings”
Once you’re on the settings page, here’s where to find the setting:
You can choose to authenticate with a text message or with an authentication app like Google Authenticator or Authy.
Step 6: Require Two-Factor Authentication in Business Manager
As we said, two-factor authentication is a great security measure. But it’s something you turn on in your personal settings, which means you can’t automatically turn it on for your other Admins.
But in the Business Manager, you can require that people with access to your page turn this setting on in their account.
To do that, go to Business Settings and change the setting here:
This is another easy step that can dramatically increase the security of your account.
Step 7: Be Proactive & Craft a Security Policy
So far, all the steps we’ve laid out have been very specific things you can do to help beef up your account security.
But they’re not a magic bullet.
Even if you take all those steps, there’s still a possibility of someone hacking into your account through some other method.
The best advice we can give is to be proactive. Foster a culture of security and create systems designed to make people feel responsible.
If you can encourage your team to take an extra few seconds to think about security anytime there’s a change in your account—such as adding a new admin or integration—that will go a long way in helping to minimize risks now and in the future.
So how do you actually DO that?
We suggest crafting a security policy and having your team sign it.
To be clear: the idea here is NOT to hold people liable if something goes wrong.
(After all, someone getting hacked is not the victim’s fault.)
Instead, the idea is just to get your team thinking about security and taking it seriously. Make sure they understand why this is important and how much of an impact it can make, and get their buy-in to help keep your business protected.
After all, our account was hacked and the person managed to spend $4,006 in 46 minutes. But imagine if we hadn’t caught it right away. Imagine if it had gone on for a few days or even longer before somebody noticed.
When you think about it that way, you can see that investing a little time and attention in security is a really smart move and a no-brainer for any business.
