We live in a digitally connected age, with advanced online tools to manage our finances, social lives, and businesses. With these conveniences come a seemingly endless array of security issues, ranging from full-on identity theft, to temporary hacks of social media and email accounts.

It’s easy to feel like there’s nothing we can do to be truly secure online, especially when you consider the increase in cyber threats, including recent hacks of US Government data and social media accounts, and the corporate hacking scandal at Sony Pictures. If these large companies and institutions are falling victim, is it really possible for an individual to be secure?

As with anything that is startlingly scary, sometimes it’s tempting to ignore these issues than take action to make things as secure as possible. Recently, a friend had his personal social media hacked, which led to a big headache for his business. This incident really has me thinking hard about the potential issues with Facebook security, especially regarding my own accounts, and the accounts of my employees and our industry in general.

Case Study: Facebook Hack of Romantic Asheville

In early June, I received an email from my friend, Mark File, who operates the highly successful online tourism website, RomanticAsheville.com. Mark’s Facebook page had been hijacked. What started with the hack of his personal profile quickly led to a total loss of control over the business page for his website. His business page has around 50,000 fans and – thanks to his effective use of viral posts and consistent sharing of valuable tourism information and resources – it has been responsible for hundreds of thousands of visits to his website over the last year.

Within hours of the hack, he no longer had access to his business page (yes, you read that correctly). He lost all control of the page and could not sign-in to the account. To make matters worse, his page began posting automated content every hour on a variety of click-bait topics, some of which included very distributing content like violent acts perpetrated by the Islamic State, sexually suggestive posts, and even a post exploiting sexual violence against women. Not only was the content posted automatically (with very little immediate recourse available), but anyone who posted on the page against the hack was quickly banned by the hackers who were then controlling the page.

The security vulnerability that allowed this to happen centers around the controls available to page admins, allowing them to easily add and remove other admins from the pages that they manage. In gaining access to Mark’s personal page, the hackers were able to add themselves as an admin under the guise of a different personal profile. They could and then did remove Mark and any other existing admins from the page. Recovering his personal profile page was fairly easy: Facebook quickly detected the suspicious behavior occurring there. On the other hand, getting his business page back was a much longer process that also resulted in a significant amount of lost traffic on his website.

Getting a Hijacked Business Page Back – Mark File’s Story

I recently interviewed Mark to discuss his experiences. Here’s his story (plus some useful additional information that we’ve added in parentheses.)

How was your page hacked?

I received a very official-looking message from Facebook via my RomanticAsheville.com Travel Guide business page. Foolishly, I was in a rush and did not take time to investigate it. The message referenced their initiative to reduce fake likes and asked to verify my page. I clicked the link to a “Facebook” page that asked for my username and password. Because I’ve entered my password for other Facebook requests, I entered my info. Since I was traveling, I did not check my email again for eight hours. During that time, the hacker had taken my personal profile, changed my name, birthday, email and password. Plus, the hacker removed me from administrative rights to my business page. Facebook sent several emails about changes to my account, but I did not see them until all the damage was done.

What steps did you take to communicate with Facebook after your page was hacked?

In the emails that Facebook sent concerning changes to my account, there was a link to regain my personal page. Since I had access to the phone number and email address attached to my account, I could easily regain access to my personal account through a series of verifications. After that, I was stumped at how to get my business page back. I looked and looked for info in Facebook support, but most of that info was about personal accounts. (https://www.facebook.com/help/131719720300233/)

What did the hacker do?

The hacker immediately started spamming the page with controversial posts that included links to shady websites to “read the full article” about every hour. My followers quickly started to complain and tried to warn others about the hack. The hacker banned many of those users. Followers also reported the page to Facebook. This continued for almost three days.

1Above: Page growth (and fan loss) during the page-hijack period. The page lost over 1000 fans in 72 hours after the hijack, and added 0 new fans during the 30 day hijack period.

How was your experience with Facebook regarding the recovery of the page?

Fortunately, while logging back into Facebook the next day, I received a dialogue box asking if I lost control of a business page. This lead to a form where I could report a “hacked page.” I completed the short form, which created a case ticket in support. I received an automated, generic reply immediately. Facebook took down my page after three days. I’m not sure if it was from my requests or the many reports of the hack by my fans.

How long did it take for you to get your admin rights back for your page?

Exactly one month! I did not get a response from Facebook support for one month. It was great to read “your administrative rights have been restored”. The hacker had changed the URL of my business page, so I sent a follow-up request to change the URL back to the original name. That was corrected in less than a day.

Have you made any security changes on your personal profile since this hack happened?

Many! I turned on the “login approval” option, so now I’m asked to enter a security code every time I try to access my Facebook account from a new computer or device. I also added three “trusted contacts” that I can reach out to if I forget my password or can’t access my email account in order to reset my password. (More info on these added security measures: https://www.facebook.com/help/413023562082171.)

Did you see any traffic decrease on your site during the period where the page was hacked or offline?

Yes, about 10% of my referrals are from Facebook and most of that is from my business page. Fortunately, during this time, I was able to see traffic totals via links to my website posted on other Facebook pages and was pleasantly surprised to see that!


Graphic showing reduced website traffic from Facebook during the page-hijack period.Above: Reduced website traffic from Facebook during the page-hijack period.

Has the page been performing well since you got it back?

I was so lucky that the hacker did very little permanent damage to the page. All of my previous posts and photos were there. All I had to do was remove the spam posts and unban the many followers (who were trying to warn others about the hack) that the hacker banned. Also, I still had many messages from followers during the first few days following the hack, so I was able to respond to them when I regained access to my page (so they would know to re-follow the page). Immediately, the views for my posts were almost to the levels of before the hack. I lost about 1,000 followers (out of 47,000), but I regained most of them during the first week back.

Anything else that you would like to share about this experience?

First of all, I was completely overwhelmed with so much support from my followers. Thanks to all of them! Also, this experience was a great reminder that Facebook is a great communication and branding tool for my RomanticAsheville.com Travel Guide; however, it’s just one of many strategies to focus on. During the month without Facebook, I gave extra attention to my other marketing initiatives. While the other initiatives don’t provide the immediate reward of seeing all those likes and shares, they are just as important, if not more. I revisited all social media channels, worked on blogs, tweaked SEO and upgraded my email newsletter.

Tips on How to Avoid a Facebook Business Page Hack

I’m currently an admin of nearly 50 Facebook business pages, including several with hundreds of thousands of fans. Because this hack happened so close to home, I began thinking hard about what I need to do for my company to ensure that this does not happen to us.

Facebook.com offers three steps you can take to protect your business page.

1) Enable Login Notifications

You can set up notifications so that whenever anybody (like a hacker!) tries to login with your User ID and Password, you receive a notification on your cell phone. If you get a notification of an unauthorized login, it’s time to change your password right now because the hacker has got your password and is trying to get in to your Facebook Account.

Here’s how:
Go to Home -> Account Settings -> Security -> Login Notification. Put a check mark on your preferred option and click Save Changes button.

Go a step further: For the strongest protection, at JB Media we recommend that you enable Login Approvals which require a text message confirmation code for all logins on new devices. This is the single best step you can take to secure your profile and attached business page.

2) Always check your Active Sessions

If you notice any unfamiliar locations or device, it means your Facebook Account is at risk. Just click on End Activity and don’t forget to change your password after that.

Here’s how:
Go to Home -> Account Settings -> Security -> Active Sessions.

3) Enable Secure Browsing

This is one more way to secure your account.

Here’s how:
Go to Home-> Account Settings -> Security -> Secure Browsing.

While the dangers of hacking can seem overwhelming, in fact, these simple steps are effective ways to keep your Facebook business page secure. If you’d like to learn more about social media management or any other aspect of Internet marketing, the JB Media Institute has in-person and online sessions starting soon.