We Got Hacked

We got hacked. And while IT security is certainly not our typical blog content, I thought it worth sharing in hope that it might spare a fellow business owner the same hassle, which, depending on your level of engagement with social media, could be much worse than it ended up being for Retexo. Read on to learn from our experience.

First a confession: I am a closet computer geek. OK – to be fair, that closet probably doesn’t have a door, and the walls might even be made of glass. To those of you who know me, my geek status probably doesn’t come as much of a surprise, but I mention it to point out that I am a reasonably savvy computer user. I am security conscious, and I have some real-world experience. Just two weeks after taking the General Manager position for my previous company, my site fell prey to a fairly serious email phishing attack. An engineer clicked on a very convincing email about her cellphone bill. She quickly realized that clicking the link had been a mistake, but in the few seconds it took her to walk to the office of our IT manager down the hall, the virus had spread through the internal network to over thirty other computers via the Windows peer-to-peer networking functionality, and it was just getting started. What followed was a couple weeks of insanity, which at one point required me to call an emergency shutdown and send everyone home. I learned many interesting lessons, including the fact that you can have a team of high-level security specialists — basically an IT SWAT team —  on-site within hours, anywhere in the country, if you’re desperate. All it takes is a $60,000 deposit. Fees accumulate from there. And it was worth it. My site was part of a multi-billion dollar corporation, and our hack posed a threat to the entire global IT infrastructure. No messing around with those stakes. We got it contained, but it was honestly surreal. Point is, IT security risk is not theoretical for me, so I am probably more cautious than the average bear.

Given my well-earned attention to security, I was somewhat surprised to receive notification from Facebook a couple days ago that my account had been suspended for violating Community Standards. Minutes later I received notifications that two people with very sketchy looking email addresses had joined Retexo (our Facebook Business Page, which is linked to my personal Facebook account). By then (as in minutes later) it was too late. The hacker’s first action was to assign themselves admin access to our Meta Business Suite account (the system through which you manage Facebook and Instagram business pages, online stores, ads, etc.). Once they had admin access, they immediately demoted me to regular user status (yes, Facebook allows that, and no, they absolutely shouldn’t). Just like that, they had full admin control of our Retexo business manager account on Facebook (and they still do).

Prior to the attack, my Facebook account was secured by a sixteen-character randomly generated password used only for that account. Two-factor authentication (2FA) was enabled. As far as I know, no “social engineering,” phishing emails, or malicious websites were involved. I use a VPN when I connect to public networks. So how did they do it? The details are not totally clear, but I now know that many businesses have fallen prey to this exact attack, which seems to originate in Vietnam. The hackers used two compromised Facebook accounts, and it appears that my “mistake” was in using the text message (SMS) option for 2FA. I actually transitioned to an authenticator app (Authy) several months ago, but I left the SMS option on as a backup. That seems to have been the vulnerability they exploited. The hackers were somehow able to get the SMS authorization code sent to their phone number, which allowed them to gain access to my account. SMS / text message as 2FA appears to be a known vulnerability with Facebook, and a less secure option in general.

Once they had access to the Retexo page and had removed my admin privileges, they posted a string of images which were apparently objectionable in whatever language they were written in. These were immediately blocked by Facebook, resulting in the account suspension that alerted me to the problem in the first place. What’s the motive? It would appear that the end game is to spend lots of ad dollars for nefarious purposes on the hacked account’s tab. Ironically, the same trigger-happy Facebook content moderation AI that stopped the hacker’s posts is probably the only thing that saved us from a financial hit. That same AI falsely triggered on Retexo’s real (and very innocuous) content several months ago, resulting in an erroneous suspension of our ad account (this happens all the time – it’s maddening for businesses). After months of effort, I have no idea what triggered the suspensions, and I have been unable to resolve that issue. So the hackers ran no ads at our expense only because our ad account was already broken and Facebook was unresponsive. This, it turns out, is a theme with Facebook.

Where does this leave us?

The good news: I was able to quickly secure my personal account. That feature on Facebook works.

The bad news: all sources agree, we will never recover the Retexo business page or Meta Business Suite account. And even if we did, it would probably be useless because it would be “tainted” as a previously hacked account and Facebook would block most important functionality. If this strikes you as outrageous, it is. Thus my motivation to write this blog. I suspect that many small business owners (and large business owners, too), some of whom rely on Facebook advertising for a large percentage of their revenue, have no idea how exposed they are. I certainly didn’t.

What you need to know:

First, if your Facebook business pages / accounts get hacked, you are almost certainly out of luck. Facebook will not help. I’m not complaining about bad support. For most “normal” users, there is no support. You can Google “how to contact a real person at Facebook,” and you will get many articles with tantalizing screenshots showing you the secret path to the “Live Chat” button. You will find that none of them exist. For almost everyone, you will not locate an option to contact a live human at Facebook ANYWHERE (believe me, I’ve tried). Those screenshots are real, but any such options that once existed have been removed. If you are not a large “professional media” organization or dropping huge monthly ad spends, no one is going to help you.

Second, you will find any number of “I’ve been hacked” forms. You can submit as many of these as you want. You might eventually get a response in a week, a month, three months… but probably never. Facebook has over two billion users. It is a support demand that cannot be met. Again, the irony in my case is that Facebook has not responded to the erroneous suspension of our ad account for over six months, and that is the only reason we avoided financial impact.

In summary, if Facebook is important to your business, be aware of this risk. Known risks can be managed. It’s the risks you don’t know you’re taking that will get you. You need to know that your followers, your online catalog, your access to advertising, etc. could disappear in an instant, and you will have few options but to abandon your page / accounts and start over (which is what Retexo is doing). Even if you avoid a hack, you can get shut down by a false positive from Facebook’s automated content moderation systems. The result is the same: one day you are operating your business; the next day you aren’t. Facebook is the topic of this example, but the same is true for any social media platform, YouTube, etc. Being overly dependent on a platform you don’t control is a significant business risk. If you didn’t know, now you know!

How you can minimize your vulnerability to this hack:

1. Secure your Facebook account with a long, weird password that you do not use anywhere else. Password length is more important than weird numbers and symbols, assuming you are not using common words or phrases. Require anyone else with access to your business pages / accounts to do the same.
2. If you are not using two-factor authentication, stop reading and turn it on NOW. Any 2FA is better than no 2FA, but…
3. For any sites that offer the option, use an authenticator app like Authy,Google Authenticator, Microsoft Authentication, or similar for 2FA. Avoid using SMS / text message / voice call as your 2FA option for Facebook or any critical site. It is way better than nothing, but — as I just learned the hard way — getting a code via text message is not very secure for 2FA.
4. Enable every possible notification for any change to your Facebook personal account, business page, Meta Business Suite account, ad account, etc. I would explain how to do this, but if you are at all familiar with these Facebook services, you already know how impossibly confusing and convoluted they are. Much exploratory clicking is required.
5. If you get notification of a change that looks unfamiliar, take action IMMEDIATELY.

Fortunately, although we use our Retexo Facebook business page and a small amount of Facebook advertising, we do not depend on them at any significant level. We can quickly rebuild. We will lose all our followers, but for Retexo this is not a disaster (although it is a huge pain in the you-know-what). If you have spent five years building an audience of 100,000 followers for your business, that’s a much different situation. Horror stories abound – one example here.

Thanks for reading. I hope it was helpful and informative. Be careful out there!