We provide social media management services for various clients. Some of these clients are very
high-profile clients with what you would call “Celebrity” status.
This is a story about one of these clients, who I will not name
since we usually operate as ghost managers. Let's just call this
client “Mr. X.”
One day, Mr. X, who has a personal
account on Facebook as well as a Facebook Celebrity Page, had his
Facebook account hacked. Our first warning came in the form of an
email from Facebook, letting Mr. X know that his email address was
being changed from an “aol” account to a “yahoo” account.
This was strange since Mr. X knew that he did not have a yahoo
account.
That was when Mr. X forwarded the email
to our team. We immediately went to the Facebook account and
attempted to log in as Mr. X, only to get a failure saying that we
did not have the correct password. We immediately followed Facebook
protocols to report the page as a hijacked page.
As it turned out, the hacker had not
just created a Yahoo account for Mr. X, but also a new Facebook
account using the old aol email account. So when we put in the aol
account, we discovered that there was a second account and all of our
attempts to retrieve the password would only succeed in getting us
into a fake account. This was set up as a decoy so that we would not
attempt a recovery on the true account.
Seeing through the decoy, we used the
Yahoo email address that was not connected to the true account and
followed Facebook procedure to report the account as hacked. This
allowed us to regain control of the true account. However, the damage
had been done. The page in which Mr. X was an administrator, was now
no longer in his control. The hacker had gone to the page
administration settings and removed all of the administrators from
the page and assigned his/her personal account administration access
instead. We had officially lost control of the page.
We have been on Facebook, managing
accounts and various issues here since 2006 and have never seen this
happen. Mr. X had a very large audience and the hacker was now
“posting” malicious links all over the page to no end. We
anxiously searched through all of the help links and articles on
Facebook and found several instances where this had happened with no
happy resolution. We had no choice but to report the page as having
illegal content on it, so that the page would be suspended
immediately. Since that time we asked a panel of experts at the Ragan Social Media and PR Conference in Las Vegas to see what they had to say. No one had an answer.
If you have a Facebook page and have
granted access to various administrators to help you run this page,
then you need to pay attention. We have determined that there could
have been measures in place to help us avoid this situation. These
measures include:
- Creating a centralized email account where all social media notifications go and that the social media team has access to 24/7. This gives the team the time they need to respond immediately to any notifications that come from Facebook. In this case, the hacker attacked in the middle of the night, when we were all asleep. The damage had been done and no one could see what had happened until hours later.
- Create a strict schedule where all social media accounts and email accounts have a password change once a month.
- Make sure all passwords are different for all social accounts. Do not repeat passwords for any of your accounts.
- Make sure all passwords are a minimum of 8 characters, contain a mix of alpha and numeric and include at least 1 symbol. Have you social media team create the passwords for you. Keep the passwords in a secure location and do not email them to your personal accounts.
- For Facebook administration, create a new Facebook account that is specifically used to administrate the Facebook page. This account has a special password that is changed monthly and it is completely blocked from public view, reducing the risk of being hacked. Make sure that the Facebook page is ONLY managed by this one account.
No comments:
Post a Comment