Tuesday, February 21, 2012

A lesson in failed Facebook security and 5 tips for prevention.

We provide social media management services for various clients. Some of these clients are very high-profile clients with what you would call “Celebrity” status. This is a story about one of these clients, who I will not name since we usually operate as ghost managers. Let's just call this client “Mr. X.”

One day, Mr. X, who has a personal account on Facebook as well as a Facebook Celebrity Page, had his Facebook account hacked. Our first warning came in the form of an email from Facebook, letting Mr. X know that his email address was being changed from an “aol” account to a “yahoo” account. This was strange since Mr. X knew that he did not have a yahoo account.

That was when Mr. X forwarded the email to our team. We immediately went to the Facebook account and attempted to log in as Mr. X, only to get a failure saying that we did not have the correct password. We immediately followed Facebook protocols to report the page as a hijacked page.

As it turned out, the hacker had not just created a Yahoo account for Mr. X, but also a new Facebook account using the old aol email account. So when we put in the aol account, we discovered that there was a second account and all of our attempts to retrieve the password would only succeed in getting us into a fake account. This was set up as a decoy so that we would not attempt a recovery on the true account.

Seeing through the decoy, we used the Yahoo email address that was not connected to the true account and followed Facebook procedure to report the account as hacked. This allowed us to regain control of the true account. However, the damage had been done. The page in which Mr. X was an administrator, was now no longer in his control. The hacker had gone to the page administration settings and removed all of the administrators from the page and assigned his/her personal account administration access instead. We had officially lost control of the page.

We have been on Facebook, managing accounts and various issues here since 2006 and have never seen this happen. Mr. X had a very large audience and the hacker was now “posting” malicious links all over the page to no end. We anxiously searched through all of the help links and articles on Facebook and found several instances where this had happened with no happy resolution. We had no choice but to report the page as having illegal content on it, so that the page would be suspended immediately. Since that time we asked a panel of experts at the Ragan Social Media and PR Conference in Las Vegas to see what they had to say. No one had an answer.

If you have a Facebook page and have granted access to various administrators to help you run this page, then you need to pay attention. We have determined that there could have been measures in place to help us avoid this situation. These measures include:

  1. Creating a centralized email account where all social media notifications go and that the social media team has access to 24/7. This gives the team the time they need to respond immediately to any notifications that come from Facebook. In this case, the hacker attacked in the middle of the night, when we were all asleep. The damage had been done and no one could see what had happened until hours later.

  2. Create a strict schedule where all social media accounts and email accounts have a password change once a month.

  3. Make sure all passwords are different for all social accounts. Do not repeat passwords for any of your accounts.

  4. Make sure all passwords are a minimum of 8 characters, contain a mix of alpha and numeric and include at least 1 symbol. Have you social media team create the passwords for you. Keep the passwords in a secure location and do not email them to your personal accounts.

  5. For Facebook administration, create a new Facebook account that is specifically used to administrate the Facebook page. This account has a special password that is changed monthly and it is completely blocked from public view, reducing the risk of being hacked. Make sure that the Facebook page is ONLY managed by this one account.

No comments:

Post a Comment