If you’ve been locked out of your main Facebook account and/or your Facebook Business Manager due to a hacking incident, you’re certainly not alone.
Over the years, my social media and email inboxes get flooded on a regular basis with folks seeking help with lost access, often due to hackers. Sadly, Facebook’s own support is infuriatingly difficult/impossible to get any resolution for the vast majority of users.
BUT, there is hope, my friend!! After recently experiencing a hacking incident myself, I’ve put everything I know about retrieving and securing your account into this post. And, I’m doing my level best to get Facebook to tighten up its security settings AND customer service!!
If you don’t have a hacked account, there is much you can do to absolutely lock down your Facebook personal and business presence.
Click any topic to jump down to that section. In this comprehensive post, I cover the following:
- Is there a vulnerability inside Business Manager?
- Scam ads – examples
- Hackers (from Vietnam?) wreaking havoc
- $20,000 in scam ads
- Look for these red flags
- How to get your hacked Facebook Business Manager back
- How to get your hacked Facebook Account back
- Paid third party services – are they legit?!
- How to secure your Facebook personal profile
- Best practices to protect your Facebook business Page
- How to secure your Facebook Business Manager
- Are Business Suite and New Pages Experience more secure?
I don’t work for Facebook and never have, despite folks thinking I do. I run my own corporation and have been the top Facebook marketing expert since 2007. Yes, I have independently contracted with Facebook on many occasions between 2015-2018 for the Boost Your Business multi-city tour and co-creating Blueprint curricula, among other projects.
Yes, I do have high level contacts at Facebook. But, alas, I’m unable to pull in favors for the literally thousands of folks who reach out for support. Besides, Facebook is incredibly siloed. 🙁
Seriously, my heart breaks for anyone whose business (or personal life) is heavily impacted by the loss of access to a Facebook Account, Business Manager or Ads Manager.
I’m always astonished by how many people fall prey to hackers gaining access to their social accounts, almost always because of a lack of taking the proper security measures. (Details on proper security steps are listed in sections #9, 10 and 11 below).
However, my astonishment turned to myself recently when MY OWN FACEBOOK BUSINESS MANAGER GOT HACKED. Serious wtf moment. Yes, I had every security setting properly configured to the max. As did my other Admins.
So, what the heck happened?
(I did manage to regain full control of my Facebook Business Manager and Ad Account within 48 hours. See section #6 below for similar help with this issue).
1. Is there a vulnerability inside Business Manager?
Certainly, securing your PERSONAL Facebook Account should be a cinch, predominantly via 2FA: two-factor authentication via text or an authenticator app. More on that in section #9 below.
But, how can a hacker gain access to Business Manager? Well, somehow they first add themselves under your Users > People settings. This should create a notification to Admins that the hacker is showing as a ‘pending user.’ If this happens, you would immediately cancel their request and lock everything down with changed passwords. (More steps in sections #9, 10 and 11 below).
This screenshot shows a hacker attempting to add themselves to a Business Manager. Invariably, the email address might look somewhat legit… or it might look like garbage. In this example, there really is a supportfacebook.com domain. It’s owned by Facebook and redirects to their Help Center. So, the hacker is trying to look like they are coming from Facebook.
In my research, it turns out there was a significant security issue in Business Manager some five years ago. A cyber security expert uncovered the exploit and was apparently rewarded a $16,000 bounty.
2. Scam ads – examples
The bad actors that got into my own Business Manager did craft two random scam ads and try to run them.
Thankfully, Facebook’s AI kicked in and promptly shut down my Ad Account before any money was spent. Honestly, this is the one time we actually WANT Facebook’s AI to act promptly and shut down your account.
The above image shows the notifications for two scam ads in my own Ad Account. (Neither ad actually ran, thankfully. As mentioned above, the AI caught them and temporarily shut down my Ad Account).
By the way, notice the third notification in my screenshot above – “Tolo Tv ?? blocked your video…” – this was yet another big red flag for me this day. Why? Because the video this Page reported was my own livestream (via Zoom) into a PRIVATE Facebook Group. Wtf? How on earth can a public Facebook Page even get access to a video inside a private group they have not joined? The content was entirely my own coaching.
Fortunately, I was able to dispute the copyright claim and Facebook accepted it a week later. But, during that week, the video was not available in my group. Crazy.
3. Hackers (from Vietnam?) wreaking havoc
I did some significant research in preparation for this blog post on the two Pages that attempted to run ads from my account, and I discovered a vast number of hacked Facebook Pages with scam posts, many of which are/were running scam ads as well. All Pages have a variation on the names.
It seems there is quite a ring of scammers out of Vietnam. Or at least purporting to be. (And, this has been going on for some time – the person on this Reddit thread experienced a very similar situation a year ago).
Searching Facebook for the first part of the “Winona” Page name showed me an ACTIVE ad from the same Page – likely running from someone else’s hacked Ad Account. See screenshot below – the video in the ad had millions of views:
And, for the second ad in my Ad Account – run by a Page called “Trung Tâm Hoa Giong Quoc Gia” (Vietnamese for “National Flower Seed Center”) – I came across a LARGE NUMBER of variations of this name as active, recently hacked Facebook Pages.
One quick glance at each Page Transparency section and we can see that the hackers changed the Page name – significantly.
This makes no sense to me how these scammers are so easily able to take over a page and change its name so radically. Historically, it’s often extremely challenging to change a Page name even moderately. Here’s an example I came across in my searching:
The First Baptist Church of Jackson actually has been able to regain control of their hacked Facebook Page, thankfully.
BUT, it’s shocking to me that Facebook is not being responsive about helping this church revert back to its proper name, per this post…
UPDATE: just before I published this blog post, I checked back again and thankfully, on October 20th (11 days later), the team at the First Baptist Church of Jackson got their Page name back. Hurrah!
It’s really tragic that Facebook doesn’t have a significantly more effective system in place to prevent such bad actors wreaking havoc.
4. $20,000 in scam ads!
My good friend, live video expert Molly Mahoney experienced a very similar Business Manager hacking last month where the scammers were somehow able to add themselves to her account. Then, they quickly racked up a whopping $20,000 USD in scam ads before she knew it.
Molly has been able to recoup most all of the money, and get some semblance of resolution. But, it’s not fully resolved and she’s still dealing with the aftermath. She’s only received rather scant support from Facebook.
And, right around the same time period, fellow social influencer Adryenn Ashley had a big hacking experience. The bad actors took control of a large number of Facebook Pages she administers, including her own blue-check verified public figure Page, which she has still been unable to regain control of, despite following all the steps and speaking with her Facebook reps. 🙁
Also, in my research, I emailed my subscribers to get a sense of how commonplace hacked Facebook Accounts and Business Managers are. I was amazed to receive dozens upon dozens of replies all with very similar stories. Some fellow Facebook Page Admins – and agencies – had the exact same experience: scammers out of Vietnam gaining access to Business Manager and, in some cases, racking up large sums of ad spend.
5. Look for these red flags
Okay, so let’s switch gears and get proactive. In the following sections I will describe everything I can to help you if you’re facing a similar situation.
For starters, ANY and all suspicious activity whatsoever should be careful monitored and acted upon. Between yourself and all other Facebook Page Admins*, definitely keep a close eye on your Notifications, whether you receive these on Facebook, via email and/or via SMS. If your Notifications preferences are not enabled properly, go in to your Page Settings > Notifications.
*EVERY Facebook Page should have at least TWO Admins, each with full 2FA (two-factor authentication) – more on this in section #10 below.
If you use Business Manager or Business Suite, definitely review your Notification Settings on those tools as well. Go to Business Settings > Notifications.
POSSIBLE RED FLAGS INCLUDE:
- Someone you don’t recognize has been added to your Ad Account (or is showing as Pending)
- Someone you don’t recognize has been added to your Business Manager (or is showing as Pending)
- Your Admin role gets demoted to a lesser role in Business Manager (you may or may not receive a notification)
- You lose Admin access entirely to your Facebook Page – in this instance, Facebook should send you a notification and/or email (such as they did in Adryenn‘s case)
- Any activity in your Notifications that looks suspicious
- An unrecognized login alert notification/email from Facebook
- A password reset code email from Facebook that you didn’t trigger
- Friend requests are being sent out to people you don’t know
- Posts you don’t recognize have been published to your wall
- A new ad is running that you don’t recognize
- Your Ad Account suddenly gets deactivated
- Direct messages in your personal inbox or business inbox asking you to click on a link. Be careful!
- Even if the message comes from someone you know it’s possible that their account was hacked and you’re getting a scam/phishing message.
- Often the message is along the lines of ‘Hey, is this you in this photo/video?’ – do not click!!!
- Emails asking you to click on a link that you’re uncertain about – be extremely careful of phishing attempts where the scammers end up stealing your login credentials.
- Anyone offering you money (via DM) to advertise on your page. They will meet with you on Zoom to walk through the ‘approval process’ where you would inadvertently reveal a backdoor link to add an admin. (This is what happened to Adryenn Ashley; she states, “FB should make this linked masked so you can see that you are about to reveal a back door link.” Yikes).
- One more possibility is attempting to connect with you via the Collabs Manager (inside Facebook’s Creator Studio). In all the years Facebook has had this feature, I’ve rarely seen any actual compelling offers. I do see a ton of invitations in my own Collabs Manager, but they are invariably for low or no fee so it’s a giant #ignore from me. Still, there may be occasional decent offers for some folks. Just be careful! The hackers will try any means to get to you.
6. How to get your hacked Facebook Business Manager back
When my own Business Manager was hacked, the scammers ‘demoted’ myself and my Admins to ‘Employee.’ So, even though we lost all Admin features, we could still get access to support.
NOTE: if your Ad Account has been compromised, you may want to immediately contact your credit card company, bank, PayPal etc. to alert them of the breach and potentially cancel the card/payment method as appropriate. Especially if you are no longer able to access the full Business Settings in your Facebook account.
If you still have Admin/Employee access, you should be able to go in to Business Manager and get help.
Click the question mark icon in the bottom left and this opens up the Help panel on the right.
You should see “Contact Support Team” in the middle of the Help panel. Then follow the prompts and you should get a fairly prompt response.
It may be that this Contact Support Team feature is not available inside ALL Business Managers yet. If you don’t see this option, try the alternative solutions listed below.
First, use this form if your Page was hacked and you’ve lost Admin access. Facebook automatically populates this form with any Page it knows you had Admin access to previously and don’t at the moment.
And/or, try the standard Facebook help system for hacked accounts at https://www.facebook.com/hacked.
Then, also use any of the following forms, as appropriate:
- Request Review of Restricted Business Account
- Request Review of Restricted Ad Account
- Disabled Payments & Ads Manager
- Request Review of Restricted Page
- My business has lost access to our app
- Troubleshoot Unrecognized Activity on Your Ad Account
- See also my own Directory of Facebook Contact Forms
Facebook used to offer access to support via Chat for all Advertisers and Businesses on the Business Help Center. Then that support changed to only ‘Media, Publishers or Public Figures‘ for ‘Special Support’ where you can send an email. There is a Messenger Chat that is almost permanently grayed out (at least I haven’t seen it active – but maybe it only shows active for those specific Page types, seeing Facebook knows everything).
If you can’t find the Support option INSIDE your Business Manager, this Business Help Center option is definitely worth trying.
If your Facebook Ad Account was hacked, follow some of these same steps above. See also my friend Ezra Firestone at Smart Marketer for his team’s experience with a hacking incident last year: What To Do When Your Facebook Ad Account Gets Hacked (Like Ours Just Did)
Of course, it goes without saying that if you have a Facebook Account Rep/contact that can help you with any issues regarding a hacked account, then for sure reach out to them immediately. Nonetheless, you may also need to follow several of the steps detailed here anyway if your person is unable to resolve the issue for you.
7. How to get your hacked Facebook Account back
You might find yourself reading this blog post because your PERSONAL Facebook Account got hacked and you’re struggling to regain access.
Although this article predominantly focuses on the business Page and Business Manager side of Facebook, I want to also address personal Facebook Account attacks. Because that is a very vulnerable area if not properly secured. And, invariably, it’s the personal accounts where hackers first gain access. (Unless there really is a security vulnerability inside Business Manager, which I’m convinced there is).
Are you still able to login? If so, immediately go to the Security and Login section and i) change your password and ii) log out of all sessions just as a precaution. You can always log back in (and you’ll need to anyway once you change your password).
If you can no longer login, this means the hacker has changed your password and, unfortunately, probably changed your email address to their own.
Follow the steps on Facebook’s Help Center at How do I secure a hacked account?
Or, go straight to: https://www.facebook.com/hacked
And/or follow the Hacked Wizard guided tool.
Also, ask a few friends if they could please check your profile on Facebook and see if your name or profile picture has been changed. And if the hacker has made any posts on your wall. Ask these friends to report your profile as a hacked account.
If you have not previously verified your ID on Facebook, you may be asked to upload ID. Refer to this section: What types of ID does Facebook accept?
Next, you’ll probably need copious amounts of patience. Don’t give up hope. Try the Hacked form again.
Or, you can try other measures – see section #8 below.
NOTE: if someone has CLONED your Facebook Account and is impersonating you, this is not a hacked account. It’s a separate account and needs to be reported. Here’s how: Go to the imposter’s profile on desktop or mobile, click the 3 dots, select ‘Find support or report profile,’ then follow the prompts from there. I would also recommend that you have a few friends report the imposter profile as well.
8. Paid third party services – are they legit?!
If you don’t hear back from Facebook within a reasonable amount of time, there are all manner of third party services out there that can help. I do not personally know any of them, nor can I vouch for them. However, if you’re in a desperate situation with zero support from Facebook, you might want to explore this avenue. Please be careful, though.
It may be that Hacked.com is a popular service – it’s cited in this recent Washington Post article: Recovering locked Facebook accounts is a nightmare. That’s on purpose. As of time of writing this post, Hacked.com home page shows a ‘half price special’ of $249 for personal accounts. Business Accounts have higher fees. [To reiterate, I have zero knowledge or experience of this site/group or any other like it. You’re on your own with these types of services, so caveat emptor!!]
There may be a whole slew of legitimate third party services out there that offer paid support to immediately recover your hacked Facebook or Instagram account. Some look polished and run full service media agencies. Others look like full on black hat Ninja Warriors operating out of someone’s basement. Ha!
How are they able to gain access to the back end of Facebook and Instagram and ‘flip a switch’ to get your account back? Who the heck knows. I certainly don’t. But, if you’ve exhausted all other avenues and you want to spend the money, then I imagine for a lot of Facebook business users, in particular, it’s worth it.
Sigh. If only Facebook would come up with its own level of service like AppleCare+, I know hordes of us business users would gladly pay. Seriously.
Oh, speaking of paying, some folks cottoned on to the fact they could simply buy an Oculus headset and immediately get customer support from Facebook from a real person. And then, just return the unopened headset. However, that ‘back door’ has been nixed, so it seems.
Anyway, a quick search on Twitter regarding hacked Facebook or Instagram accounts and you’ll likely come across all manner of folks recommending various ‘ethical hackers.’ Many of these folks offering such account retrieval services are active on Twitter, with even more active on Instagram, it seems.
Speaking of Twitter, our friend Matt Navarra stumbled across ads for this third party service…
…and I agree with Matt’s sarcasm here. I looked up the ads running on this Page and am gobsmacked that the AI has approved them with so many defaced images of Zuck himself.
In any case, just be careful out there, friends!!! You might end up forking over a boatload of your hard-earned money only to be scammed. Do your due diligence. Don’t let your emotions get in the way of reason!
9. How to secure your Facebook personal profile
Okay, you’ve made it this far. Whether you’ve ever been hacked or not – or you know anyone that’s been hacked or not – I IMPLORE YOU TO TAKE YOUR OWN RESPONSIBILITY FOR LOCKING DOWN THE SECURITY OF YOUR OWN PERSONAL PROFILE!
Sorry for shouting, but this is the #1 best way to prevent hacking in the first place. That is, hacking of your personal profile or Business Manager or business Page. EVERY single person and partner in your Business Manager, and Admin on your Page, *must* have 2FA enabled.
Locking down the security of your accounts goes for Facebook, Instagram, any social profile, and certainly any other critical online accounts – specifically your EMAIL and any online banking/financial accounts. With email, if a hacker gains access, just think – they could trigger password resets for pretty much ANY of your online accounts. Ugh. Never let that happen!!! 2FA is your friend.
On desktop or mobile, navigate to your Facebook Settings and follow these steps:
- Ensure your password is long and cryptic. If you can remember your password (for anything!), it’s not cryptic enough. Use a reputable password manager tool, e.g. LastPass, 1Password, etc.
- Set up 2FA – two-factor authentication, or MFA – multifactor authentication. This is done under your Security and Login settings. Most people utilize SMS to receive a code via text. However, for optimal security, it’s much better to use an Authenticator app. Google Authenticator and Duo Mobile are among the top apps. (See: The Best Authenticator Apps for 2021 by PCMag)
- So long as you’re using a strong password – along with 2FA – you shouldn’t need to change your password that often. But, some security experts suggest changing your password every few months.
- Set up extra security by enabling “Get alerts about unrecognized logins.” Select notifications on Facebook, via Messenger and by email.
Set up extra security by adding 3-5 trusted contacts. If needed, your trusted contacts would send a code and URL from Facebook to help you log back in.
- Periodically check your Logged In Sessions and remove any you no longer need.
- Under Settings, periodically check which Apps and Websites are connected to your Facebook account and still have active access. Remove any you no longer need or use.
- Also, regularly review your Business Integrations – these are apps and services that you’ve used Facebook to log into. Again, remove any you no longer need or use.
- Download your information – this setting allows you to download *everything* you’ve ever posted on Facebook and it’s a solid best practice for *both* your personal profile and business Page as at least you would own a back up off of Facebook. (Just like you back up your website or blog). I would recommend downloading your information a minimum of once a year, but maybe 2-4 times a year depending on how much you post!
- On your personal profile, go to your Settings > Your Facebook Information (top left menu) > Download Your Information. Follow the steps. Or, easier yet, just go to this link to view your information and then there’s a link at the foot to download a copy: https://www.facebook.com/your_information.
- On your business Page, go to Settings > Download Page (towards the bottom of that first General section).
- Consider hiding your friends and followers on your personal profile if you have a large number of them. This is particularly important for profiles that get impersonated as it looks very enticing to a scammer to be able to act as you and try to scam your entire network. They bad actors create a new account with a name that looks very close to yours, they use your profile picture, they send friend requests to all your publicly visible friends and then spam them with scam links. (As mentioned above, if you’ve been impersonated, immediately report the profile).
Also, review Facebook’s Safety Center – Safety@Facebook – https://www.facebook.com/safety
See also this helpful Privacy Basics section.
And, periodically run Facebook’s Security Checkup.
10. Best practices to protect your Facebook business Page
The first best practice to ensure your Page is locked down is to absolutely ensure that EVERY ADMIN has gone through all the relevant steps outlined in section #9 above.
So long as anyone has Admin access to your Page at any level/role via their personal profile – which has always been the default and only way for years – it’s critical that they have 2FA set up as a minimum security best practice. (But, see below on Work Accounts coming!)
Follow these three security steps:
- Triple check that ALL Admins of any role have set up 2FA. If an Admin tells you they will set up 2FA, make sure they definitely know how to do this and that it’s properly configured (see step 2 in section #9 above).
- Remove any Admin of any role/level that is no longer relevant to your Page. Whether you use Business Manager, Business Suite or neither, navigate to settings and check ALL Admins/Page Roles at any level and make sure every person is still completely relevant. You may find there’s someone that you provided access to a long time ago and they’ve left the company, for example. Also, it might be time to prune your Admins if there are simply way too many that have access that don’t really need to.
- Ensure your Page has at least two Admins. If you’re the sole Admin on your Page, definitely add one other trusted person as your back up Admin. Even if it’s a close friend, partner, colleague and they’ll never actually access your Page. It’s just for a backup.
Facebook recently started testing a new type of profile called Work Accounts (hallelujah, about time!).
Facebook will also begin testing something called “Work Accounts,” which will allow business owners to access their business products, like Business Manager, separately from their personal Facebook account. They’ll be able to manage these accounts on behalf of employees and use single sign-on integrations.
Work Accounts will be tested through the remainder of the year with a small group of businesses, and Facebook says it expects to expand availability in 2022.TechCrunch 9.16.21
So, as and until Facebook rolls out these Work Accounts more widely, every person that has access to your Facebook Page, Ad Account, Business Manager, Business Suite is doing so via their own personal profile. This is just the way Facebook works for now.
(On that note, is it any wonder folks set up at least one other additional Facebook profile just for administering business products on Facebook. Even though it’s against Facebook’s TOS to have more than one account. Crazy. I wonder just how many of Facebook’s almost 3 billion monthly active users are duplicate/additional accounts?!)
In any case, to emphasize again, it’s vital that each person has their own personal profile security super tight per section #9 above.
11. How to secure your Facebook Business Manager
The steps to secure your Facebook Business Manager are very similar to section #10 above on securing your Facebook business Page. However, there are a few more places that you really ought to review regularly.
Remember, Admins have full control over your business. They can edit settings, people, accounts and tools.
Make it a habit to periodically go through your Business Settings in all Facebook Business Managers that you run (for many professionals/agencies, this will be multiple FBMs!), and review the following:
- People – make sure these are all current, active people that should legitimately be inside your Business Manager. Do any Admins need to be changed to Employee Level? Also, check all Assigned Assets that each person has access to and change permissions if needed.
- Partners – review to make sure these are current and relevant. Check their Assigned Assets, too.
- System Users – review anyone under this section as well to ensure these are active and relevant people with the right roles.
- Security Center
- Set ‘Who’s required to turn on two-factor authentication?’ to Everyone. This is an additional layer of protection from the personal profile 2FA.
- Check that you have at least one other Backup Admin Added. If not, definitely add a trusted person as your backup Admin.
- If you have not yet verified your business, start the process here. This can help add a layer of protection to your Business Manager and Page.
- Enable all notifications. Monitoring notifications carefully can help catch any suspicious activity quickly per the Red Flags section #5 above.
- Business Info
- Review the My Info section towards the bottom of the Business Info section. Make sure you’re seeing notifications from both your Page and Business Manager.
- Test your two-factor authentication by clicking ‘Control how you’re sent your login code.’
12: Are Business Suite and New Pages Experience more secure?
It’s quite feasible that Facebook’s new Business Suite hub (first introduced in September 2020), along with the company’s NPE – New Pages Experience (first introduced in January 2021) – has some additional safety/security features baked in.
Over time, Facebook intends to replace all Classic Pages with NPE. And, Business Manager will eventually be replaced with Business Suite.
Business Suite is a free tool that lets you manage your Facebook, Instagram and Messenger accounts in a single place. Learn more about Facebook Business Suite here.
And, with NPE, your Page may have already morphed over to this new format. Learn more here (although that post states ‘New Pages Experience for Government, Political and Nonprofit Organizations,’ the information there is relevant to all).
Okay, that’s all for now, friends.
I trust this post is valuable to you and your community. Please do share this post across your networks – thank you!!
Stay safe out there. And, do your level best to stay sane!! Facebook can be utterly crazy-making on the best of days. Take a deeeeep breath, try to remain poised, and focus on anything and everything positive in your life!! It’s simply not worth getting physically stressed out.
Make sure you’re following my Facebook Page to stay up to date with all things Facebook and social media marketing.
For our fellow small business owners, social media professionals, entrepreneurs, marketers, agencies – if you’re not already a member, do join my Social Scoop Facebook Group for tons of wonderful peer support and access to me and my team. We keep 20k members up to date on the latest Facebook & social media news, platform changes, updates, tools, and tips.
Need help with your Facebook marketing? My next Marketing Masterclasses with Mari Smith are coming up very shortly. Members of my Social Scoop Facebook Group will be the first to know!
Meantime, I’d love to invite you to join the wait list here for my next #FBOMM: Facebook Organic Marketing Masterclass. Season Two will be launching soon!