How Your Facebook Business Page Got Hacked

You Have Been Hacked Image

1. You allowed unsecure or compromised apps (applications) access to your personal Facebook page (and, through it, your Business page). These can be old, outdated Business page add-ons that are no longer supported by the developers or by Facebook, or they can be malicious applications that deliberately want to gain access to your account.

 

2. You had an employee or used an external company, and you gave them full access to your Facebook business page. You had a falling out with them or fired them, and they kicked you off your Page as an administrator and then compromised your Page or deleted the Page.

 

Reason One (more information) and what to avoid.

It would be best if you give as few external applications as possible access to your Facebook account (and, through that, your Business page). Most people grant app access in a variety of ways, to play Facebook games or to take silly quizzes (please do NOT do this!) as many of these are purposefully malicious or they are easily compromised, and though that can compromise your account.

 

The other way to be compromised is to log in to external sites using your Facebook account. Zoom, for example, gives you the option to log in with Facebook; it also gives you the option to log in with your Google account (please DON’T do this either, it’s even worse). Always create a new account using your email address and a unique password, don’t ever connect social or Google apps. Some newspapers and blogs offer social sign-ins and Google sign-in options as well; please create a unique account with these platforms. An external account gets hacked or compromised, so can any accounts it has access to from the back end.

 

If your account was compromised through an external application, changing your password in Facebook does not stop the hack; you need to remove the app at fault (I always recommend disconnecting everything and readdressing and reconnecting if there is one you need later on) and then change your password.

 

See the link at the end for how to access where your app access is located so you can check and disable them.

 

Reason Two (more information) and what to avoid.

 

A Facebook business page owner should be the only person with “full” access to the Page and at least one additional person who you implicitly trust: a spouse, a business partner, or your BFF from grade school.

 

Why have that? What happens if your personal account is hacked or you get locked out of Facebook, either temporarily or long-term? Facebook has no support system per se, no phone number to call for help, and the only way to “sometimes” get them to respond is multiple support requests, and I mean dozens of them. Sometimes…….

 

Giving an employee or manager, or external company full access to your Facebook page can be a recipe for disaster. If you do, please make sure you trust them! I could tell you countless horror stories about employees or managers being fired and still having access to a page. You can guess what happens from there. I know one marketing company in New England that had a tiff with a tourism group about seven years ago, and they deleted the tourism group’s Facebook page, of which there were over 6000 followers on the Page. Facebook will not restore a deleted page if you don’t have access to it as an administrator. And now, with the New Page Experience, it looks like it can’t be restored at all.

 

Anyone helping with a page can get more limited access (which means they can’t delete the Page or add or remove admins).

 

Currently, most pages still have multiple levels of access:

  • Admin: Can manage all aspects of the Page. They can publish and send Messenger messages as the Page, respond to and delete comments on the Page, post from Instagram to Facebook, create ads, see who created a post or comment, view insights, and assign Page roles. If an Instagram account is connected to the Page, they can respond to and delete comments, send Direct messages, sync business contact info and create ads. This person can manage everything you can, including the ability to give access to others, remove anyone from the Page (including you) or delete the Page.
  • Editor: Can publish content and send Messenger messages as the Page, respond to and delete comments on the Page, create ads, see who created a post or comment, post from Instagram to Facebook, and view insights. If an Instagram account is connected to the Page, they can respond to and delete comments, send Direct messages, sync business contact info and create ads.
  • Moderator: Can send Messenger messages as the Page, respond to and delete comments on the Page, create ads, see who created a post or comment, and view insights. If an Instagram account is connected to the Page, they can respond to Instagram comments, send Direct messages and create ads.
  • Advertiser: Can create ads, see who created a post or comment, and view insights. If an Instagram account is connected to the Page, they can create ads.
  • Analyst: Can see which admin created a post or comment and view insights (i.e., statistics).

 

The “NEW” Facebook Page Experience:

People with Facebook access

  • Content-Create, manage or delete posts, stories, and more as the Page.
  • Messages-Send and respond to messages as the Page.
  • Community Activity-Review and respond to comments, remove unwanted comments and report activity.
  • Ads-Create, manage and delete ads for the Page.
  • Insights-See how the Page, content and ads perform.
  • This person can manage everything you can, including the ability to give access to others, remove anyone from the Page (including you) or delete the Page.

And some other actions that still seem to be in a bit of flux, you can now control a bit more than you could last year. Last year it appeared that anyone with full access had full control of everything and you couldn’t change it, now it appears you can set access levels with “Facebook Access” and they have added some additional options.

Change Access Level Image for Facebook

Task Access:

  • Community Activity- Review and respond to comments, remove unwanted comments and report activity.
  • Messages-Respond to direct messages as the Page.
  • Insights-See how the Page, content and ads perform.
  • Ads-Create, manage and delete ads for the Page.

Community Managers:

  • Community managers can moderate chat comments, suspend or remove people who violate community standards and see all admins of this Page.

 

As Facebook continues to make changes to the “New” Facebook experience, I would make a note to keep checking access levels and who has access to what. When the changes first rolled out last year, anyone who had any kind of access level to a page automatically got bumped up to “full” access. It appears (I hope) that they have fixed this and added additional levels and options, which is great.

 

What is not so great is that anytime Facebook makes a change, especially to options in the administrative section, they don’t tell anyone about it. I’ve been tracking the changes with the roll out to the new format since last year, and as usual, anytime a minor (but sometimes very important) change is made to business pages, they don’t make any kind of point of informing users about it.

 

Even worse is it appears they have now totally deleted the holding period for deleting a page (definitely moot if you don’t have access to it anyway, but….). In the old version, You’ll have 14 days to restore it in case you change your mind. After that, your Page will be permanently deleted. 

Old Deleted Page Image Facebook

Old Page Version

In the new version it looks like once it’s deleted, it’s gone. 

New Pages Experience Image Facebook

New Pages Experience Version

While it’s a lot harder to actually dig down to where to get to delete the Page in the new version vs. the older version, this is still NOT a good thing. So please stay on top of your access levels!

 

Tied into this, you think your personal Facebook account got hacked because you started getting reports from your friends that you were sending weird requests or odd messages to them.

 

There is a huge number of fake Facebook accounts, far more, I think, then Facebook will ever admit to. With the fake accounts, they take the name of someone, create a new account, and then take the profile picture and header image from the person they stole the name from and use it on the fake account. 

 

They then target your friends (because your friends list is open to anyone logged into Facebook) and start sending them friend requests. Many people accept the request because they see a name and photo of someone they recognized, so they don’t necessarily remember if they were already connected and hit accept. This is the way these fake accounts spread. Most people automatically assume they have been hacked, panic, and change their password. No, folks your account has not been hacked; it’s been cloned. Have friends report the fake profile ASAP. You need to lock down your friends list and also be very aware of what you post.

 

How can this hack your business account? It usually doesn’t directly, but it can cause identity theft of both your information and your friends’ information, and an awful lot of people have gotten scammed from these both identity-wise and financially.

 

And I do know two businesses that had employees that got their employee’s Facebook personal accounts cloned. The fake accounts messaged the owner of the business pages they worked for, and the business owners granted the fake accounts access to the business page, thinking they were the real employees and then had hacked pages and deleted pages. One more reason to limit access in the backend of Facebook.

 

Locking down your friends list and near the end (because it’s in the same section) how to see what apps have access to your personal (and business account with that).

 

Data Mining Social Media Profiles for Customer Personas

Last week I ran an online workshop about how to create a customer persona. As part of the workshop, I touched on how businesses can use the power of social media to data mine social media profiles for information, and I wanted to elaborate on it a bit.

 

The internet is a very scary place, and I don’t think people truly realize how much information is out there for public view.

 

A perfect example of this is every year when we lived in CT;
I used to run a class for the Middlesex Library, which had a jobseekers program, Social Media for Jobseekers.

 

Every year I would talk about how with a bit of Googling, how much information was out there online for HR, for companies, and for recruiters to be able to see without even digging that hard or violating any privacy.

 

In every group, I’d get at least one skeptic: “You can’t find anything out about me; I’m not on any social media channels!!!!”. And I would have them give me their name, the town they were from, and nothing else. I’d say, “Give me a minute on Google, please.”

 

So “Bill,” you are a long-time member of Rotary, you went to UCONN and studied meat science, you like fly fishing, and you are extremely unhappy with the customer service at XYZ brand. You love to order dog toys from Chewy, and you coach your middle school daughter’s soccer team. That’s only page one. Would you like me to continue?”

 

Now put that information into a persona (that’s not even including social media data mining), and that’s not even digging very hard.

  • Rotary Member (likes to give back to community and volunteer)
  • UCONN graduate (large college with an extensive alumni network)
  • Meat Science Degree (probably currently works or formerly in the food business, probably wholesale)
  • Likes flyfishing (outdoors person, likes to spend time alone (supposition)-passionate about it as found multiple flyfishing forums he belongs to
  • Shops at XYZ brand quite a bit.
  • Does not like bad customer service (15 bad reviews about it, 40 good reviews about positive customer service experiences)
  • Has a dog or dogs
  • Has at least one child (A daughter who likes to play soccer)
  • He probably purchases soccer apparel for his daughter, who is in middle school and does not have the funds to purchase them herself.

 

Now how much more can you dig out just going past page one?

 

Now, let’s see what we can dig out on Social Media. A goldmine, actually many gold mines on top of the one Google gives you. Facebook is a wealth of information, and sadly (but good for businesses), not everyone has their profiles completely locked down.

 

I’m going to use a friend as an example; I looked at her account through the account of someone she is not friends with to see what information is public to someone logged into Facebook.

 

I can (publicly/logged into FB but not friends with her in this case) see that she is a creative writer, a former reporter at a local paper, she studied communications at XYZ university, she studied “partying” at another university, she went to ZYX High School, she’s married, and she currently is a costume theater designer and likes renaissance fairs (including making costumes for ren faires).

 

She also has some posts not set to “friends” only; she likes brewpub hopping with her husband and a large pool of friends. And she’s a board game addict.

 

She is from New Jersey, currently lives in Pennsylvania (Town specific), and moved there about 30 years ago.

 

She is also on Instagram (Insta handle provided), and she posts daily on Facebook, only about once a week on Instagram. (so Facebook would be a good target for her, but probably not Instagram. I have no idea if she is on Linkedin or Twitter (because I haven’t looked yet).

 

She identifies as female, a Gemini, her religious views are Buddhist, and her political stance is Progressive. She frequently shares her husband’s political posts, who is clearly not a republican or a fan of a past president.

 

I can also see where she’s checked in on Facebook: breweries, bookstores, national parks, cosplay conventions, ren faires, theaters, Indian restaurants, etc.

 

I can see what kind of movies and TV shows she has indicated she likes, as well as books and a whole lot more information.

 

I used a fictitious button company (The Button Store, over 5 Million Buttons!) as the business that would be building a persona based on my friend.

A real persona, if you were going to do one for a company, would include a lot more research on people and a lot more data mining of other profiles, but I wanted to use this as an easy example.

 

Let’s move on to the other social channels: Linkedin also has a lot of information, not just in people’s bios, but what groups they belong to, what interests they have, their backgrounds, who they are connected to, and what they post about.

 

Instagram and Twitter (I’m not going to include TikTok because of the primarily younger audience, and I wouldn’t UNLESS that was your target market) don’t have as much information at first glance to glean.

 

But you can tell who they are following, who is following them, generally if they have other social accounts, where they live, how often they post, what they post about, and in Twitter’s case, what they repost and who they converse with, etc. You can find some of that on Instagram, but it doesn’t have the native reposting option that Twitter does.

 

While this may seem a bit creepy, big companies do this all the time, and it doesn’t stop a small business from using the same data mining techniques. It’s just time-consuming, you are looking for information that is already public.

 

For small businesses and anyone who uses social media media, I would VERY much encourage people to look at what they post and the specifics of what people can see. Google yourself, too; it’s always eye-opening.

 

I’m not going to go on a rant about locking down everything again (done that enough in the past) ,but please be cognizant of what’s out there.

 

From a small business perspective, if you want to make accurate customer personas, set aside 5 or 10 minutes a day, do some Googling, check out some social profiles, and compile information. Please don’t do a generic persona, do as many as you need for your business and customize them to suit.

 

Hubspot has some great resources I suggest you check out if you are just starting to create personas for your business. When doing your research, don’t forget to check out people’s reviews on Google, Facebook, Yelp, and Tripadvisor, as well as any other review sources you can find. You can glean a lot about someone from their reviews.

HubSpot Resources
https://offers.hubspot.com/persona-templates
https://www.hubspot.com/make-my-persona
https://blog.hubspot.com/marketing/buyer-persona-research

(How to Find Interviewees for Researching Buyer Personas section And 20 Questions to Ask in Persona Interviews are particularly helpful)

Some additional articles you may find useful
https://www.semrush.com/blog/buyer-persona-examples-beyond-basics/
https://buffer.com/library/marketing-personas-beginners-guide/
https://blog.hootsuite.com/buyer-persona/

 

To use the example of “Bill” in the beginning of the post, good customer service is a sticky point for him. If you were going to use him and say 15-20 other people to create a detailed persona, what could you put in your persona to elaborate on that? And how would that make your company stand apart from the competition? Is this a person/persona that would pay more for terrific customer service? Travel further for it? Prefer to use email or phone rather than shop online for it? What can you glean from what people are telling you? Use Google and the Social Platforms out there to create your personas, don’t just make them up based on what you think should go in there.