Facebook’s Business Manager is typically pretty secure, but malicious users found a way to hijack them and your money, typically to advertise their products and hack other accounts.
The hack is quite sophisticated. Anyone with a Business Manager account, including those with simple access to them, is at risk of this same vulnerability. At the time of writing, Facebook has NOT applied a patch which puts you at risk and potentially on the hook for thousands of dollars. Here is how this hack works and the steps you need to take to keep your account secure!
The hack is usually advertised by a Facebook ad that offers a $3,000 credit for new businesses that sign-up for the TikTok Ads campaign–quite generous, but far from crazy, since TikTok has been pumping all sorts of money into its creative influencers program. It all looks very legit, except for a developer email and package name, but those are usually overlooked. Niek Mass, who lost 3,000 euros from his ad account, talks about his experience in his post.
The hack starts by downloading the unverified app from the Google Play Store to an Android device. We imagine the same thing could happen on an iPhone; however, Apple keeps the App Store guidelines strict, but you should still be vigilant there.
Once downloaded to your phone, the app asks you to sign-in with a Facebook account. It all seems very normal.
After you finish the log-in process, it says that a “voucher activated” email will be sent to you within 24-48 hours to claim the $3,000 reward, but it never comes. Within a couple of days, the hackers take over the Business Manager account via the Facebook authentication token you gave them through the app. They add fake users and remove you from it.
It doesn’t stop here. The hack goes further by taking over Facebook apps owned by the business manager account!
This is about the time when you notice: waking up and finding out you’ve been locked out of your account, with thousands of your own money being spent by hackers. And even worse, it may not even be your own money based on how the account is set up–it could be cash that your client is supplying!
It doesn’t stop here. The hack goes further by taking over Facebook apps owned by the business manager account. This is the part that happened to us.
We checked our App Dashboard, only to discover that we no longer had access to our own app.
We soon discovered that the app was renamed to ‘TikTok for Business’… yes, the hackers are taking over other apps, apps with a legitimate history and legitimate users, and repurpose them to steal access from new users! (NOTE: Only users that give permission to the new app are exposed to this hack.)
We were able to get in and reclaim access, but it was only a few minutes before we were all removed again, and our access was revoked. That Facebook app was completely lost.
Steps after you were hacked
Long story short, there is not a straightforward process to recover your access.
If you make a bug report using the developer support forum, it won’t work. We created a bug report with all the information we had about the hack immediately. Our report was closed without any help from the support staff a couple of days later.
Contacting Facebook staff on its own doesn’t work either. We reached out to Facebook multiple times and were in contact with their security team frequently, but we did not hear back from them for a whole 7-days.
However, it could be that they simply had their hands full at the moment, and you may be luckier, so take the steps anyway:
- Make all the necessary screenshots and file an incident report here https://developers.facebook.com/incident/report/
- Try to restore your admin access to the app using the appeal form here https://developers.facebook.com/appeal/ – there may still be a chance that your app contact email that is used for Facebook app support communications is still the same. This form may allow you to regain admin access by following the instructions that will be sent to this email address after the appeal is submitted.
- Also, it would be a good idea to immediately start with the process of securing all the accounts that were used as potential attack vectors. The Facebook security outreach team recommended that we use the standard Facebook help center here https://www.facebook.com/hacked to report the involved accounts as compromised.
After these, your only option is to try reaching out to any of your Facebook contacts directly and inform them about the situation and all the forms that you filled out, and ask if there is anything else you can do.
How to prevent this hack?
There are several steps you can and must do to keep your account secure and avoid a horrific experience like this.
Log Facebook out of all devices
Do this first to terminate any breach that may be in progress.
To log out of Facebook on all devices, head to Facebook.com on your browser, and open up the Settings. Go to the Security & Login section, and in the “Where You’re Logged In” section, after clicking on “See More” click on Log Out Of All Sessions at the bottom right.
Change your Facebook password
This will remove any access a hacker had to your account and will keep things hard to guess or brute force.
- If you still have access to your personal Facebook profile, first, navigate the Settings & Privacy / Settings option from the menu
- Choose “Security & Login” from the left menu
- Click on “Change password” in the Login section – you will need to remember your old password to save this change.
The act of changing your password will also log you out of any services that use Facebook login and invalidate all tokens that are used by Facebook apps to act on your behalf.
Activate two-factor authentication
Two-factor authentication is an important part of Facebook account security, and especially the security of your Business Manager account. This is important to have enabled because, if a hacker were to get your account password, it would also require a PIN number sent to your phone or email address to log-in.
It’s a second barrier to entry that could save you potentially thousands of dollars. It’s not clear that this would help in this hack–since his hack was done via the authentication token from logging into his account within the app–however, it’s an important layer of security that will block the majority of breaches.
To do this in Business Manager, go to Business Settings, Business Info, and then click Edit.
Under the 2FA section, you can click on the option to require it for all users or Admins only. Once done so, just press Save.
Review users under all business accounts you have access to
This is the most important part! Review people who have access to each of the Business Manager account you manage. This is the place where the spoofing happens–hackers will use existing profile photos and names, but will have spoofed email addresses. It’s an easy way to fool you, and means you need to look really closely.
Look at names and make sure that they match up with email addresses accurately. If something doesn’t add up, restrict their access, or immediately remove the user from the account.
To do this, open up Business Settings and go to Users > People. From there, you can click on the person you want to evaluate, make sure everything matches up, and if it doesn’t, just click Remove.
These are steps that will keep your account very secure, making it nearly impossible to allow a hacker to breach your account.
What is Facebook doing?
Facebook is aware of the data security issue as well as the business account breach. They are actively investigating the issues but do not have a solution in place. You may get an email from their ops team like this:
We are Facebook’s Developer Operations team. We work to ensure that our users and partner developers operate in a healthy and responsible app developer ecosystem.
We have become aware of a potential data security issue involving your application that may have impact on data obtained from us. Regarding the data incident that occurred in October 2020, please answer the following questions:
- Are you a developer who has lost access to their app?
- If yes, then please fill out this contact form. Please provide a copy of your valid government issued-ID to verify your account ownership. See the different kinds of IDs we accept in this Help Center article.
- Once you have provided this information, we may follow up with additional requests for information or documentation to evaluate your request.
- More information can be found here.
- Is your app linked to Facebook Business Manager, and your Facebook Business Account may have been hacked?
- If yes, then contact the Facebook Business Chat Support to file a request to verify your identity and business.
- Do you maintain any other datasets containing Facebook data? If so, are any of these other datasets publicly accessible?
- If so, please immediately secure these datasets to ensure that they are no longer publicly accessible, and confirm that you have done so in your response to these questions.
- Also, please let us know the hosting service name and IP address of these datasets. How long was the dataset publicly exposed?
Please send us your responses to these questions by date.
Thank you for your prompt attention to this matter.
Facebook Developer Operations
Please drop us a comment and share it with your friends, especially if you found another alternative you would like us to mention or if it helped you.