the drift

drift image

Securing Your Facebook Business Manager Account After a Hack

Alex Ford
July 18, 2023

Your Meta Account Has Been Hacked -- What Now?

On Thursday, May 25th we at oakpool lost control of a number of Meta Business Suites due to a malicious attack by hackers. In total, 6 clients had 12 ad accounts affected, and we were able to resolve and remove all malicious actors within 4 days, and most within 48 hours. In the digital world, it is somewhat a matter of inevitability that there will at some point be a hack or breach of security. At oakpool’s beginning, we could not have imagined the scale and sophistication at which this type of cyber terror is now being perpetrated. 

This is one of those things that you think will never happen to you, until it does.

In the subsequent days and weeks that followed our hack, we spoke with a number of security consultants, agencies, and other victims of these attacks. We made an alarming discovery that these sorts of attacks are widespread, and have therefore decided to write this article in order to spread awareness and outline a plan of action if this should happen to you or your clients.

What Happened

We were alarmed that the breach had come from a compromised internal email account with admin access to each affected account. This was not through any malintent or incomplete security protocols - but a phishing scheme and one misplaced click on a link sent to one of our associates. We quickly moved past any non-productive “blame games” and accepted that this could happen to any one of us, agency or client side.

These hackers employ a process called “malverposting”, defined below.

“Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to ‘amplify’ their posts.” - Hacker News

In effect, hackers gain access to an ad account and spend as much as they can on a self-promoting and self-propagating ad that amplifies and extends the reach of their virus. In turn, this gains them access to more ad accounts in a snowball effect.

The specific Hack that we incurred, and seems to be affecting others these days is called “The Ducktail Virus.”

This is not anything new in concept, although has gotten far more sophisticated in recent months with a particular wave affecting US, UK, Australia, Canada, and Indian Meta Business Suite Accounts. We are constantly aware of this threat at oakpool, and have always taken prerequisite measures to ensure that our employees and associates are armed and protected with the extent of the security tools that Meta has to offer (2 Factor Authentication and more recently Facebook Protect). We also mandate a password change every 6 months. As has become apparent, this was not enough to ward off this attack.

What We Did About It

Once the attack became apparent, we had all hands on deck identifying and removing the compromised account from all Meta Business Suites that we manage. We suspended the account from our server and isolated or blocked off all other exposed endpoints.

We immediately alerted all clients to the breach, and advised them to lock or suspend their FB payment methods to minimize damage and encourage the hackers to lose interest. We had all hands send multiple support requests (over 20) to Meta Business Support, which is infamously hard to get help from and especially so in the aftermath of the Meta layoffs. We worked any backchannels we had with Meta to escalate this critical matter and get these issues resolved as soon as humanly possible. This included past support tickets, college friends and acquaintances who work at Meta, colleagues with Meta connections and so on. Nothing and nobody was off limits.

What This Means For You

  • Stay on and continue to follow up on Meta support tickets. Constant communication is the key here, and we’ve found that the squeakiest wheel gets the grease in these situations.
  • It is Meta’s policy to reimburse any budget spent as a result of a hack. Minimize their spending abilities by freezing your associated ads payment method, but don’t get too caught up in the size of ad spend.
  • It is not the standard practice of these hackers to create organic posts (Hacker News source). They operate by connecting their page or asset to your ad account, thereby minimizing Brand Safety risks - for now.
  • Remove the compromised account from Google Ads, LinkedIn, Snapchat, TikTok, and Pinterest ad accounts. Even if there is no obvious sign of breach here (this scheme is historically perpetrated only on Meta accounts), but don’t take any chances.
  • With an admin, contributor, editor, or analytics role on your Business Suite, you are not personally affected by this hack. As far as this breach is concerned, your personal data is safe. 

Preventative Measures and Action Plan for Future Hacks

Preventative Measures

  1. 2 Factor Authentication and Facebook Protect for everyone who has access to your Meta account. Individuals can turn both of these on in Settings on their personal accounts. Instructions here. You will also see prompts to enable Facebook Protect on the same page. We recommend Meta Verified for everyone, but at least for those in an Admin role.
  2. Remove any unnecessary admins or users from your account. Past agencies, ex employees, or anyone non essential to the daily operations of your account is just another potential access point for any bad actors. Minimize your exposure to this.
  3. Do not click any links from anyone you don’t know. It seems obvious, but this hack came from an exchange one of our associates had with a very legitimate sounding request for marketing services. At the end of the exchange, the hacker sent a link to see their existing marketing materials. This link contained the virus that entered our system.
  4. Store your Business Manager IDs and Account IDs offline. You will need them to push your case with Meta Support, and you may not be able to access that information once the hackers have pushed you out of your account.
  5. Cyber insurance. This past week highlighted the importance of business and personal protection in the digital world, no matter what security steps we take to prevent hackers. We use StartSure, and have been very happy with their service.

In the event that the above measures do not prevent a hack, take the following steps.

Process For Any Future Hacking Incidents

  1. Identify & Remove. Identify the compromised account and remove it from all business endpoints in your digital stack. You can check for which account has been compromised by looking at the activity log in a campaign made by a hacker, found in Meta Ads Manager.
  2. Appeal to Meta. Submit multiple tickets to the Meta Help Desk and include your Business Manager ID. Write this down now on a piece of paper. We fortunately already had these in a spreadsheet for each client which was able to greatly increase our ability to resolve this quickly. Here is the form for submitting a ticket.
  3. Fight Back. If you still have access to the account, fight back in real time by turning off and deleting campaigns made by the hackers. Facebook’s AI will usually flag errors or irregularities (high spend, strange ad content) made by the hackers, but we saw this fail on a few occasions during our hack.
  4. Back Channel. Call us or anyone you know at Meta to escalate your Case Number that will be generated after submitting a form in Step 3. Friends of friends, college roommate’s girlfriend, or a person you met once at a conference are all fair game in an emergency situation like this. Typical turnaround time for a prioritized Meta Business ticket is 48 hours, but we were able to expedite this by reaching out to personal connections who work at Meta.

Getting Your Ad Account Back

1. In Business Manager, click Help icon at bottom left

2. 'Create New Case'

3. "It's something else"

4. "Other Issues"

5. Select the disabled ad account & choose "Other ad account issue"

6. Choose Chat support if they're online, that has been fastest for us.  Email works if not, you should hear back within 24 hours.  This below script has worked, tweak as needed.  And, be sure to attach a screenshot of the disabled ad account.

Copy & paste the following note into the messaging box:

"Hi,
Last week, a Facebook account with access to our business manager was compromised.  You were able to remove the malicious users and return access back to us, thank you immensely for that.
The only piece left to resolve is that our ad account remains disabled. Our business manager account is all clear at this point, and we're hoping to regain access to the ad account asap to begin advertising again. Thank you for your help in expediting this."

If you're currently experiencing a hack, we hope this has been helpful. If you haven't yet, we hope this has served as a cautionary tale. If you're looking for an advertising agency, you know where to find us.

Shoshin as a Leadership Philosophy
Read More
Right Arrow
Shoshin and Collaboration
Read More
Right Arrow
The Art of Shoshin
Read More
Right Arrow
Navigating the Digital Seas with a Boutique Agency
Read More
Right Arrow
The Silver Wave: Navigating the Tides of Change in Professional Services
Read More
Right Arrow
Ego
Read More
Right Arrow
Digital Marketing Mixology
Read More
Right Arrow
Applying Occam's Razor to Digital Marketing
Read More
Right Arrow
2024's Top Digital Marketing Strategies for SMB Success
Read More
Right Arrow
Creating a Global Brand Presence for Boutique Hotels
Read More
Right Arrow
On Novelty
Read More
Right Arrow
Spill It: 5 Paid Media Tactics that Will Make Your Target Audience Drop Their Coffee
Read More
Right Arrow
Paid Media: "What Gets Measured, Gets Managed"
Read More
Right Arrow
Scaling Content Impact: The Paid Media Strategy of Giants
Read More
Right Arrow
Scalable Naming Conventions in Meta Ads: A Strategic Must-Have
Read More
Right Arrow
How to Engage a Digital Agency in Your Due Diligence Process
Read More
Right Arrow
Take a Dip in the oakpool: Fierce Independents Welcome
Read More
Right Arrow
Our Advisory Board
Read More
Right Arrow
What Snow Crash Got Right
Read More
Right Arrow
Your Marketing Team + LLMs
Read More
Right Arrow
Why Private Equity Needs Digital Agencies
Read More
Right Arrow
Working With What You've Got
Read More
Right Arrow
The Digital Prescription for Health & Wellness
Read More
Right Arrow
#TheGreatOutdoors
Read More
Right Arrow
Adventure Awaits
Read More
Right Arrow
Advertising in Telehealth
Read More
Right Arrow
See You in London
Read More
Right Arrow
Let My People Go Surfing
Read More
Right Arrow
Dalio on Team Construction
Read More
Right Arrow
See You in Austin
Read More
Right Arrow
Partner Interview: Tim DiPietro from StartSure
Read More
Right Arrow
Advertising's David & Goliath
Read More
Right Arrow
What's a ZKP?
Read More
Right Arrow
Partner Interview: Jamie Storrs from Chenmark
Read More
Right Arrow
Up the Creek Without a Paddle
Read More
Right Arrow
Shinrin-Yoku
Read More
Right Arrow
The Fractional Workforce Revolution
Read More
Right Arrow
What are UN SDGs?
Read More
Right Arrow
What's Greenwashing?
Read More
Right Arrow
What Does "Fair Trade" Really Mean?
Read More
Right Arrow
What's a Customer Journey?
Read More
Right Arrow
Advertising in Digital Health
Read More
Right Arrow
Culture Leads Success: Time Perspective
Read More
Right Arrow
What's Digital Due Diligence?
Read More
Right Arrow
Bootstraps or Golden Handcuffs?
Read More
Right Arrow
When is It Time to Hire an Agency?
Read More
Right Arrow
The Perils of Tools
Read More
Right Arrow
The Original DAOs
Read More
Right Arrow
What the Heck is "Jidoka"?
Read More
Right Arrow
Culture Leads Success: Optimism
Read More
Right Arrow
Meet the Pool: Tom Robbins
Read More
Right Arrow
Brand Messaging: Social Media
Read More
Right Arrow
Culture Leads Success: Humility
Read More
Right Arrow
What Are Ethnobotanicals?
Read More
Right Arrow
Culture Leads Success: Compassion
Read More
Right Arrow
The Acronym Dictionary
Read More
Right Arrow
Call the Plumber. GA4 is Breaking Your Pipes
Read More
Right Arrow
Meet the Pool: Remick Smothers
Read More
Right Arrow
What's "Decentralized Outsourcing"?
Read More
Right Arrow
The Role of Media in Digitally Native Businesses
Read More
Right Arrow
Organizational Structure: Outputs vs. Inputs
Read More
Right Arrow
3 Signs Your Marketing Strategy Needs an Audit
Read More
Right Arrow
See You in Edison
Read More
Right Arrow
Meet the Pool: Acorns
Read More
Right Arrow
Brainwash Yourself
Read More
Right Arrow
Cultivating Sustainable Culture
Read More
Right Arrow
Meet the Pool: Sage Yazzie
Read More
Right Arrow
What's The Difference Between SEO & SEM?
Read More
Right Arrow
7 Social Platforms To Consider
Read More
Right Arrow
Klaviyo vs. Mailchimp
Read More
Right Arrow
2022 In Review
Read More
Right Arrow
What Made Figma Worth $20B?
Read More
Right Arrow
Website Building 101: CMS Selection
Read More
Right Arrow
Yamez: 2022 Lessons & Affirmations
Read More
Right Arrow
How to Tell Your Clients You're Retiring
Read More
Right Arrow
How to Retire from Your Digital Agency
Read More
Right Arrow
Looker Data Studio vs. PowerBI
Read More
Right Arrow
Vignettes: Microdose
Read More
Right Arrow
The Private Equity Digital Marketing Due Diligence Checklist
Read More
Right Arrow
Does My Landscaping Business Need Digital Marketing?
Read More
Right Arrow
Meet the Pool: Dan Zazworsky
Read More
Right Arrow
Meet the Pool: Bryan Abarca
Read More
Right Arrow
Meet the Pool: Cydney Dean
Read More
Right Arrow
Meet the Pool: Elijah Smith
Read More
Right Arrow
Meet the Pool: Karen Yeung
Read More
Right Arrow
Giving Tuesday 2022: Elevate Youth
Read More
Right Arrow
Why We Joined 1% For The Planet
Read More
Right Arrow
Meet the Pool: Alex Ford
Read More
Right Arrow
The Austrian Defense
Read More
Right Arrow
Meet the Pool: Alex Delano
Read More
Right Arrow
Meet the Pool: Kevin DeGulis
Read More
Right Arrow
Meet the Pool: James Hamilton
Read More
Right Arrow
Nomadic Vignettes: Iceland
Read More
Right Arrow
Meet the Pool: Alan Spencer
Read More
Right Arrow
Time Off & The Steelhead Debate
Read More
Right Arrow
Welcome to The Drift
Read More
Right Arrow
International Strategy: Airbnb
Read More
Right Arrow

what's oakpool?