How Your Facebook Business Page Got Hacked
1. You allowed unsecure or compromised apps (applications) access to your personal Facebook page (and, through it, your Business page). These can be old, outdated Business page add-ons that are no longer supported by the developers or by Facebook, or they can be malicious applications that deliberately want to gain access to your account.
2. You had an employee or used an external company, and you gave them full access to your Facebook business page. You had a falling out with them or fired them, and they kicked you off your Page as an administrator and then compromised your Page or deleted the Page.
Reason One (more information) and what to avoid.
It would be best if you give as few external applications as possible access to your Facebook account (and, through that, your Business page). Most people grant app access in a variety of ways, to play Facebook games or to take silly quizzes (please do NOT do this!) as many of these are purposefully malicious or they are easily compromised, and though that can compromise your account.
The other way to be compromised is to log in to external sites using your Facebook account. Zoom, for example, gives you the option to log in with Facebook; it also gives you the option to log in with your Google account (please DON’T do this either, it’s even worse). Always create a new account using your email address and a unique password, don’t ever connect social or Google apps. Some newspapers and blogs offer social sign-ins and Google sign-in options as well; please create a unique account with these platforms. An external account gets hacked or compromised, so can any accounts it has access to from the back end.
If your account was compromised through an external application, changing your password in Facebook does not stop the hack; you need to remove the app at fault (I always recommend disconnecting everything and readdressing and reconnecting if there is one you need later on) and then change your password.
See the link at the end for how to access where your app access is located so you can check and disable them.
Reason Two (more information) and what to avoid.
A Facebook business page owner should be the only person with “full” access to the Page and at least one additional person who you implicitly trust: a spouse, a business partner, or your BFF from grade school.
Why have that? What happens if your personal account is hacked or you get locked out of Facebook, either temporarily or long-term? Facebook has no support system per se, no phone number to call for help, and the only way to “sometimes” get them to respond is multiple support requests, and I mean dozens of them. Sometimes…….
Giving an employee or manager, or external company full access to your Facebook page can be a recipe for disaster. If you do, please make sure you trust them! I could tell you countless horror stories about employees or managers being fired and still having access to a page. You can guess what happens from there. I know one marketing company in New England that had a tiff with a tourism group about seven years ago, and they deleted the tourism group’s Facebook page, of which there were over 6000 followers on the Page. Facebook will not restore a deleted page if you don’t have access to it as an administrator. And now, with the New Page Experience, it looks like it can’t be restored at all.
Anyone helping with a page can get more limited access (which means they can’t delete the Page or add or remove admins).
Currently, most pages still have multiple levels of access:
- Admin: Can manage all aspects of the Page. They can publish and send Messenger messages as the Page, respond to and delete comments on the Page, post from Instagram to Facebook, create ads, see who created a post or comment, view insights, and assign Page roles. If an Instagram account is connected to the Page, they can respond to and delete comments, send Direct messages, sync business contact info and create ads. This person can manage everything you can, including the ability to give access to others, remove anyone from the Page (including you) or delete the Page.
- Editor: Can publish content and send Messenger messages as the Page, respond to and delete comments on the Page, create ads, see who created a post or comment, post from Instagram to Facebook, and view insights. If an Instagram account is connected to the Page, they can respond to and delete comments, send Direct messages, sync business contact info and create ads.
- Moderator: Can send Messenger messages as the Page, respond to and delete comments on the Page, create ads, see who created a post or comment, and view insights. If an Instagram account is connected to the Page, they can respond to Instagram comments, send Direct messages and create ads.
- Advertiser: Can create ads, see who created a post or comment, and view insights. If an Instagram account is connected to the Page, they can create ads.
- Analyst: Can see which admin created a post or comment and view insights (i.e., statistics).
The “NEW” Facebook Page Experience:
People with Facebook access
- Content-Create, manage or delete posts, stories, and more as the Page.
- Messages-Send and respond to messages as the Page.
- Community Activity-Review and respond to comments, remove unwanted comments and report activity.
- Ads-Create, manage and delete ads for the Page.
- Insights-See how the Page, content and ads perform.
- This person can manage everything you can, including the ability to give access to others, remove anyone from the Page (including you) or delete the Page.
And some other actions that still seem to be in a bit of flux, you can now control a bit more than you could last year. Last year it appeared that anyone with full access had full control of everything and you couldn’t change it, now it appears you can set access levels with “Facebook Access” and they have added some additional options.
Task Access:
- Community Activity- Review and respond to comments, remove unwanted comments and report activity.
- Messages-Respond to direct messages as the Page.
- Insights-See how the Page, content and ads perform.
- Ads-Create, manage and delete ads for the Page.
Community Managers:
- Community managers can moderate chat comments, suspend or remove people who violate community standards and see all admins of this Page.
As Facebook continues to make changes to the “New” Facebook experience, I would make a note to keep checking access levels and who has access to what. When the changes first rolled out last year, anyone who had any kind of access level to a page automatically got bumped up to “full” access. It appears (I hope) that they have fixed this and added additional levels and options, which is great.
What is not so great is that anytime Facebook makes a change, especially to options in the administrative section, they don’t tell anyone about it. I’ve been tracking the changes with the roll out to the new format since last year, and as usual, anytime a minor (but sometimes very important) change is made to business pages, they don’t make any kind of point of informing users about it.
Even worse is it appears they have now totally deleted the holding period for deleting a page (definitely moot if you don’t have access to it anyway, but….). In the old version, You’ll have 14 days to restore it in case you change your mind. After that, your Page will be permanently deleted.
In the new version it looks like once it’s deleted, it’s gone.
While it’s a lot harder to actually dig down to where to get to delete the Page in the new version vs. the older version, this is still NOT a good thing. So please stay on top of your access levels!
Tied into this, you think your personal Facebook account got hacked because you started getting reports from your friends that you were sending weird requests or odd messages to them.
There is a huge number of fake Facebook accounts, far more, I think, then Facebook will ever admit to. With the fake accounts, they take the name of someone, create a new account, and then take the profile picture and header image from the person they stole the name from and use it on the fake account.
They then target your friends (because your friends list is open to anyone logged into Facebook) and start sending them friend requests. Many people accept the request because they see a name and photo of someone they recognized, so they don’t necessarily remember if they were already connected and hit accept. This is the way these fake accounts spread. Most people automatically assume they have been hacked, panic, and change their password. No, folks your account has not been hacked; it’s been cloned. Have friends report the fake profile ASAP. You need to lock down your friends list and also be very aware of what you post.
How can this hack your business account? It usually doesn’t directly, but it can cause identity theft of both your information and your friends’ information, and an awful lot of people have gotten scammed from these both identity-wise and financially.
And I do know two businesses that had employees that got their employee’s Facebook personal accounts cloned. The fake accounts messaged the owner of the business pages they worked for, and the business owners granted the fake accounts access to the business page, thinking they were the real employees and then had hacked pages and deleted pages. One more reason to limit access in the backend of Facebook.
Locking down your friends list and near the end (because it’s in the same section) how to see what apps have access to your personal (and business account with that).