Very early this morning my Facebook account was hacked:
If you want to click the three dots and hit ‘Find support or report’ to report my account, that would be lovely:
But in case you’re seeing this after the fact or have just searched the internet to figure out what you should do because this just happened to you, read on.
- Make sure you have two-factor authentication turned on. Note: I did and my account still got hacked but I think having it on the account allowed me to go 17 years without this happening. Still not sure how this person got in, which brings me to…
- Ideally, when you set up two-factor, authenticate with a phone number or email that isn’t publicly visible. It’s difficult to fake a phone number or email when you aren’t sure what it’s supposed to be. This could be a random backup Gmail or a Google Voice number. I think this person got in because they figured out my business phone number and somehow spoofed that but it’s just a theory.
- Use unique passwords and keep them in an encrypted system like 1Password.
Ok so maybe like me, you did all three of these things and this still happened. Here is what I did upon learning at 7 AM that my password was hacked at 4:30 AM.
- I texted all my active clients to let them know to take me off their Facebook as a user.
- I exported everyone’s email that I’ve ever invoiced and sent them a message about what happened, how to take my account off their pages, and what to check for with links to resources. I also offered to help for free to solve any issues that arise as a result of this breach.
- I cancelled all my credit cards, even my personal ones just to make sure they weren’t somehow saved in ads.
- I asked my friends via text to report my account as hacked.
- I posted updates to other social media that this happened and asked people to report my account and/or make sure if we had ever worked together that I was off as an admin or similar on their Facebook page.
- I submitted a support email to my Meta ad account contact. Note: If you run ads on a regular basis, chances are you’ve had a Meta ad rep slide into your emails to try to help you with ads. Reply to that email address going to a human, it’s worth a shot.
- I reported my own profile as hacked.
- I began the paid verification process on Instagram so this won’t happen again.
And now, it’s just a waiting game as I watch ad receipts from Meta pour in without being able to turn them off and worry about the clients I am not hearing from.
Here is what I plan to do going forward whether I have to open a brand new Facebook account or regain access of my existing account (which could take days or never happen at all):
- I am going to delete any former clients once work completes from Meta Business Suite (or tell them how to delete me if I don’t have enough access to delete myself). I used to keep accounts because some people call us with occasional issues even if we don’t actively manage their social media on an ongoing basis. Now the only accounts we will have access to in any way is the ones we are actively working on.
- I am going to change my authentication to a secret email or phone number.
- I will offer a service to clients where we can draft the content and send it to them to post directly.
- I will only get admin access to any client account temporarily to set up things like ads or pixels, then I will have them immediately downgrade my account.
- I’ll make the call about setting up a new account in the next couple days if this account can’t be recovered.
It’s really tempting when something of this magnitude happens, especially when it affects other people to try to fix it quickly but when time is of the essence, letting people know sooner rather than later is the better option. One of my clients found a weird hidden ‘partner’ ad upon checking his settings and once he deleted me he was able to delete the ad.
In short, I don’t wish this version of online hell on anyone but I hope this post out in the ether helps someone who is either going through this or worried about going through this. Onward and upward!