I recently had the unpleasant experience of discovering that someone had hacked my facebook advertisers account and set up an ad to spend £1200 per day! Here’s what I did about it, and the response I got back from Facebook.

It’s your worst online nightmare. Someone with bad intentions getting into your accounts.

I’ve been online since the beginning of time (OK, about ’96) and to be fair, this is the first time anything like this has happened to me. It feels truly horrible.

In the immediate aftermath of dealing with it as best as I could, I looked to the Web for stories about hacked facebook accounts, looking for reassurance that my case would probably be resolved.

Scarily, it was difficult to find much! There was one thread on a community forum inside facebook where someone had posed a similar question, but the lack of response was worrying…

So I decided to write up my experience in the hope that if it’s just happened to you, and your Facebook ads account has just been hacked, you might find this post and be reassured. I’ll also include some tips from any “lessons learned” along the way.

My Facebook Ads account got hacked

I’m not a huge facebook advertiser. My entire history is limited to a handful of campaigns, and only ever spending small amounts (less than £20). Just dabbling, really.

At the time my ads account got hacked, I had no ads of my own running, and the last one I ran was about three weeks prior.

The first sign my fb ads account had been hacked

I received an email from PayPal informing me that Facebook had taken payment for the sum of about £22. This was late Friday afternoon.

I remember thinking that it seemed slightly strange, but assumed it was for the previous run of promoted posts I’d ran a few weeks prior. The amount seemed about right, if a little higher than the limit I had probably set.

I thought little more of it.

Within a half hour, I’d received another email from PayPal, and guess who had taken more money? Yep, Facebook of course, and this time they had taken a further £42.

Ok, alarm bells. Something is not right.

Lesson learned: if you receive emails regarding payments to Facebook for ads run on your account, log in to Facebook to check the activity in your “Advert Manager” area.

fb ads manager

There are probably phishing scams out there too, so don’t click on any links in the email. Open a new browser window and go direct to Facebook from your address bar.

The shock discovery in my Facebook Ads account.

When I logged in to Advert Manager, I could see the evidence of the two recent bills. I could also see that there was an “outstanding balance” of over £100!

Most shockingly, there was an advert running that I did not recognise, and that I certainly had not created. Hideously, it was set up to spend up to £1200 per day, and had already breezed through just over £168.
I nearly died.

hacked facebook ads account

My Facebook Ads account had been hacked!

My first priority was to deactivate the ad so that it didn’t continue to burn through the budget. If I did nothing, this sucker was going to drain me of £1200.

Action 1: kill the ad!

In my state of mild panic, I couldn’t immediately remember how to turn an advert off! I clicked into the ad and saw that I could limit the daily spend, so I knocked that down to just £5.

Looking at the overview again, I remembered the obvious slider switches that allowed me to deactivate the ad.

Click/Swipe the slider to turn the advert off
Click/Swipe the slider to turn the advert off

Phew, it was off.

But how had someone accessed my account?

I have absolutely no idea, but my first action after shutting the ad down was to change my password. If someone out there had somehow accessed my account with my password, I needed to change it ASAP.

Action 2: change your password.

Fb will make you change it again after you’ve reported the issue, but you need to do it at this point for immediate protection.

Change your password!
Change your password!

While you’re changing your password you can also opt in to get notified every time your account is accessed from a new source. This could help you in future, so say yes.

Onward. With damage limitation in place, the next step was to address how I could get my money back.

Reporting a hacked ad account to facebook.

This wasn’t terribly easy or intuitive. I’m happy to conduct most interactions online and fully understand the “channel shift” ethos within a professional customer services setting.

But sometimes you just need to speak to a real person, don’t you?

Let’s face it, when this happens to you, you have been robbed. It’s a personal violation and it’s very unnerving. You want to make sure that you’re taking the appropriate steps and to be reassured that it will all be sorted out.

To speak to someone at Facebook would be very helpful.

Forget it – this is not going to happen.

You won’t get to speak to anyone at Facebook.

It turns out that there are various ways and multiple forms that you can use to alert Facebook about a hacked ads account.

I ended up submitting my case via two different forms that both seemed appropriate. Reflecting back, I think either form would have resulted in the same outcome, so it probably doesn’t matter which one you use. Just report it.

Use this form to report your hacked fb ads account. As you select options, new sections of the form will appear.

Tip: supply all the info that’s requested and write a concise account to help the fb staff.

Give as much info as you can, but be concise.
Give as much info as you can, but be concise.

After submitting your enquiry, you get a message saying they’ll look into it and be in touch. The forms I used suggested a likely response time of 1 working day. (It took longer)

I phoned PayPal.

The great thing about PayPal in this situation is that you can phone them and actually speak to a person!

After explaining the situation, PayPal explained that I would need to contact Facebook regarding the refunds of the two amounts taken.

Paypal were able to immediately de-authorise the link between my Facebook and PayPal account. This means that Facebook would not be able to take the amount they said was still “outstanding”.

This felt like a good safety net, in terms of damage limitation, and in a situation where fb might not respond to help requests, I’d certainly have their attention if they were failing to collect payments they thought were due.

How long did Facebook take to reply?

I got my reply after three working days (on Wednesday afternoon, so I’d actually gone FIVE days between the incident, and hearing from fb.

This felt like quite a long time to wait and one wonders how much quicker they might be if they refined the process so that people didn’t feel the need to submit their help requests several times via different forms because it’s so messy and unclear.

How Facebook responded to my hacked ad account.

I’m pleased to be able to say that Facebook acknowledged that my account had “been compromised” and that they then refunded the two amounts that I had been charged via PayPal.

Great news!

But it was frustrating to log in and discover that the “outstanding balance” of just over £100 was still there!

So it’s was necessary to start over with a new form, re-tell the story all over again and request that they scrub the outstanding balance.

Another three days later, I received an email saying it had been done, and apologies for the inconvenience.

Actually, one positive part of this process is that when you do get a reply from fb, you can just email them back and continue the thread of conversation if necessary. It’s not just a “no-reply” address.

One final annoyance.

For some reason, despite being able to deactivate the rogue ad, I was not able to edit or delete it.

It didn’t feel great to have it sitting there in my account. I replied my guy (whose name was actually Guy!) and he seemed to tweak something and eventually I was able to delete it.

Confidence restored in my facebook ads account?

Hmm, that’s a tricky one.

Yes, I am pleased with the outcome. I got the refund and they cancelled the charges, as it was plainly obvious that the ad was created by someone other than myself, to promote something that was nothing to do with me.

But I am now more cautious. I still have no idea how the breach occurred.

Final tips on securing your facebook ads account

There are a couple of additional precautions you can take that might help protect your account in the event of it being compromised.

Set up security alerts (login alerts)

You can be notified if your fb account is accessed from a new device. These are called Login Alerts and you can access them via the Security menu.

Turn on your fb login alerts
Turn on your fb login alerts

 

Put limits on your Ads account

You can edit your billing threshold and your spending limit, within your ads account.

This could help reduce the damage of a rogue ad. Even if the hackers changed these settings, the system should notify you about the change, so that in itself would be a useful warning to investigate your account.

Set low figures on your threshold and spending limits.
Set low figures on your threshold and spending limits.

 

Last words

I hope that most fb advertisers will never need to read this article.

But if you have ended up here, I’m assuming that you have also been hacked, and I hope that the post provided you with a) some reassurance that you are likely to recover the charges and b) some helpful advice to help keep your account secure in future.

Was your fb ads account hacked?
Did you get the money back?

Please share your story in the comments!

  • The same thing happened to me today. I realized it when I was receiving some “Likes” about an ad I’ve never posted, in fact I’ve never used Facebookd ads service before. Instinctively I followed your described process, but contacting Facebook is really challenging…I can’t understand why such a large company can’t provide a phone support for those emergencies.

    Damages on my end are limited to about $40 for now, but still I had to put a hold on my account for anything that would come from PayPal as some transactions that were supposed to hit my account tomorrow were for a total of $1200, and not only from Facebook.

    It’s unnerving to say the least and a lost afternoon dealing with this at work…

    • Carbon copy of my experience.. The amount of time I have lost, is all out of proportion to the amount that was leached out of my paypal……….. A telephone conversation with FB could have resolved this more easily…Still out there at the moment, very frustrating indeed.

  • This happened to me last August 25, 2016 when I noticed unauthorized use of my account, I discovered that I was made as an Advertiser by a fraudulent company along with few more people from different parts of the world, unfortunately, the case was not resolved and I do not get to boost my Ads again. I had reported the incident many times and their response was far from positive. I was asking them if I can settle only the amount that I legitimately used and the Ad placed on me be waived and investigated, it was bad that they could not do anything about it. I really need a help since I want to restore my Boost buttons back.

  • I to was also hacked. But these people didn’t use my own money which is strange. I run a blog and use a Facebook page for my blog in order to reach more people. I had only ran one ad in my life from my page. About two months ago I had noticed a new FB page was made as me as an admin about some dog in a movie. I tried to delete the page and it said it was disabled but I had to wait 14 days to completely delete. So I waited and it deleted and I moved on with my life. Last week I went to run my second ad ever for my page and it said boost unavailable so I logged in and saw two ads I had never seen before. One for the dog page and one for smoothie king? I kid you not smoothie king a big franchise! It didn’t say I owed any money but my credit card had been removed and it did say my ads account was disabled because of suspicious activity and to contact Facebook and verify identity. So I tried and basically got a generic email back after explaining everything that my account had violet facebooks terms of service and they couldn’t reinstate my account for the safety of others. I am beyond furious because I didn’t violate anything a hacker did and I am being punished for it. Facebook never even sent me an email about my account being flagged! I check my emails daily!

  • This happened to me last week and I am still waiting for facebook to get back to me, they have only asked me to fill in another form so-far. Its Wednesday Evening now and this FIrst Happened on Friday (I think the hackers chose that day as the banks are closed and not as many people will be watching their accounts maybe). They set up Facebook and Instagram ad campaigns which ran over night (when I was sleeping).. I am currently £208 out of pocket – I had my account linked to Paypal as I had previously used facebook to advertise a product a few years ago so everything was in place. I have been forced to change my password (expected) and my ads account has been suspended (a good thing) but what frustrated me is the time it takes facebook to respond to something so serious. One ad was costing me £4.96 per click so you can imagine how fast the money was flowing out 🙁

    • This happened to me on Tuesday 21st. I have a business manager account as I work across lots of accounts and spend a substantial amount of money with FB. No money was spent as I noticed the doggy ad before it went live. However I use the same payment source across campaigns which has now been stopped by FB. I have contacted them five times a day to resolve this issue. They are a joke, and seem totally incapable of dealing with or resolving the situation. Four days latter and they cant even say when the issue will be resolved. I am now losing clients as I cant run campaigns for them. Once my Google MCC account was hacked, it took them just 2hrs to arrange a credit and have me account live again. FB are beyond rubbish and hide behind online help.

  • Hi! Your article is a bit comforting to me now, saying that you got a refund at the end of the day. This happened to me the other day, only that this was the end of the month too and facebook charged my bank account directly with about 135 pounds. I was shocked and didn’t know what to do. I tried to contact facebook any way I could it is really challenging to say. I hope I get a reply soon, cause I am freaking out all over this problem.

  • just happened to me as well. I’m waiting for facebook to respond and my bank to process my application for this fraud. this is outragous.

  • This recently happened to me and Facebook has not responded after 10 days. Our team is really anxious to get this resolved to we can proceed running ads for some upcoming campaigns. Where do you find the form for hacked ads? I’m only finding ones for payment inquiries which are not getting me anywhere. Thanks so much!

    • Just fill that form. The information on this article is a bit outdated regarding that form. Just choose the transactions from that page and add a detailed response along with some screenshots of the hacked ad account where you can see the transactions.

  • One additional advice i would like to add:
    Check your recent friends you have added. Sometimes you add a person and invite them to your page. It might be a hacker. Check for Admin roles in both your pages and ad management account.
    This happened to me when i discovered a person i added to my friend list and invited to a page is somehow a hacker who set their role as admin to my ad account. I was able to remove them from the list but they have created ads worth Rs.52000 from my ad account in 3 days!
    Reported today, still waiting to hear back from FB. They are investigating.

    • Hello Shank,

      This same happened with me as well.
      Does Facebook refunded the amount?

      I got a mail from Facebook saying wait for 3 days.

  • Hey, the same happend to me. I got notification from my bank that someone was trying to use my credit card, but used wrong exp. date. Today I checked the ads on facebook and I can see that someone bought ads using wierd card numer, but now I also have autsating balance/ I reported it to facebook, change verything, deleted payment method. I want to delete ADs manager account on Facebook but now I can’t because of balace. Do you think this is common? Will facebook clear my balance?

  • Thank you so much for sharing all this!! It’s a scary thing seeing money being drained from your account! 🙁

    The link in your article for the form we can use to report a hacked Facebook ads account, goes to a slightly different form now: “Ads Payments Inquiry.” There doesn’t appear to be an option to report a hacked account now, but the closest I could find was: “Process a refund or clear my outstanding balance.”

    I used that option and sent an email explaining the situation, to which I received a very quick reply stating that they could not refund me because the ads were run according to my settings. (I think it was an auto-responder, not a real person, as it was so fast).

    I clicked a button to “reply” and “reopen the case” – then I gave a more detailed explanation, complete with a SCREENSHOT of the ad. I explained how it was obviously written by someone who doesn’t have a grasp on the English language, promoting a product that has nothing to do with my brand.

    I am waiting now (days, perhaps?) to receive a reply. Thankfully, was able to catch PayPal to freeze the payment before it went through.

    Really appreciate your help with this! I may have just panicked without this step-by-step guide! I appreciate you. 🙂

    Laura

    • Did you ever get back your $7,000? I just found out I was hacked and lost $6,000. Just reported to Facebook and am anxiously waiting for a reply now

  • This has just happened to me today. £800 in two hours. I’ve deleted the ad, changed passwords, phoned the bank and raised 3 different reports with Facebook. Right now my confidence in them is completely shot. If I hadn’t happened to check the ads account today our account would have been emptied in hours.

  • My personal account was hacked and charged over $1,350 for some fraudulent ads. Ugh. Because the nature of the ad violated the Facebook guidelines (used text inappropriately or whatever) they’ve suspended my account. This funnels all my support requests to an automated reply telling me to review their procedure on ads and immediately closing my case… not addressing the fraud. Anybody have any advise here?

    • Hi Greg
      Really sorry to hear about your situation Greg. My account was also hacked early Jan 2020. FB accepted my account had been compromised and I got the money back but my account has been suspended because of the nature of the ads. Despite numerous appeals they have not reinstated my advertising. I run a a digital marketing company (new start-up) and this has lead to lost customers and me very probably closing my business. Did you ever get you advertising reinstated? If so, I’d appreciate any directions/help/tips.

  • My account was also hacked early Jan 2020. FB accepted my account had been compromised and I got the money back but my account has been suspended because of the nature of the ads. Despite numerous appeals they have not reinstated my advertising. I run a a digital marketing company (new start-up) and this has lead to lost customers and me very probably closing my business.

    My account was hacked, FB themselves confirmed this. Yet one month on and my ability to post any form of FB ads, or open a new Business Manager has not been reinstated – without any reason or explanation. This has pretty much cost me my business.

    A few things I’ve taken away from this:
    You have no automatic right to a FB account – and as soon as you sign up it appears you sign any rights you may think you have away.
    They can ban or close your account at any time – and its is entirely up to them whether or not the re-open it.
    You can appeal but they do not have to give a reason or explain their actions. I have not had a response from my latest appeal in over 2 weeks.
    You can not rely on Facebook advertising as these rights can be taken away at any time.
    There is very little information out there about what to do in this position (we are all sharing here).

    If anyone has any suggestions for what I can do next please respond to this article.

  • Thank you for this article and indeed it has given me a little relief and reassurance. I just found out my ad account has been hacked and the hacker managed to spend $6,000 over the last 4 days without me realising. I chanced upon your article as I was wondering what was the likelihood of FB refunding me my money. I do hope I get the same outcome as you. Thanks again!

  • It’s March 19, and my account has just been hacked in the middle of the coronavirus shutdown, so I’ve been having trouble reaching ANYONE! I’m still working on getting this resolved.

  • I also got hacked! I already contacted the FB and they confirmed if I got hacked.

    I was checking my debit card at that time I got replied by I didn’t find a refund. So I replied to the message to ask about when I’ll get it.

  • Same exact thing happened to me today. Thankfully caught it after $750 spent, daily budget was $3900 and could have been much worse. What a disaster. I filled out facebooks support request but based on the responses here it doesnt seem promising. Any success contacting bank?

  • same thing happend to me, thankfully i dont use any money on facebook, but good try and thanks for the IP, its not that hard to get thru a VPN, mainly when your stupid and you hack someones account while hes on it xD i just hope i manage to delete all the pages, ad-accounts and other shit they made…

  • I have just found out this has happened to me, I started noticing random amounts of money coming out of my bank account from the start of this year from Facebook Ads, keeping in mind I haven’t logged into my Facebook Ad account since November last year and have definitely not created any Ads or Campaigns this year. Random amounts of $50, $74, $23 etc adding up to $566 were being taken out each week without my permission, I thought perhaps I had made a mistake last year that resulted in these Ads being created but it’s now April and it just doesn’t make sense. I’ve contacted Facebook, I really hope they can refund me. Has anyone dealt with this?

  • This has happened to us twice now! We’re small fish in the FB advertising world, maybe only a couple of hundred bucks a month. Located in Australia, for the second time we’ve had an individual who appears to be associated with a Vietnamese clothing brand, enter our accounts and setup ads with spending limits of hundred of dollars / day. The first time, they were able to spend about $2000.00 AUD in the course of about 2 days. The bank noticed it and blocked it, and we did the same ordeal as you described above – Contact Facebook through a fable form and wait for a reply. Just today, it’s happened again.. However Facebook seems to have deactivated the account as soon as the ads were published. Maybe the Facebook security algorithms learn. Now faced again with the waiting for a response, and frustratingly, can’t delete the unauthorised campaign, OR the personal account that’s associated themselves with the ad account… Frustrating, and unnerving!!!

  • My whole personal and business Facebook account has been hacked and sent to an e mail account I can no longer recover which they have also hacked, I cannot get in touch with Facebook at all because I no longer have access as they have changed my password and removed my current e mail address. The Facebook ad e mail came from PayPal tonight and I have reported it right away as well as changing all my passwords. I honestly don’t know what to do as I just cannot contact Facebook. The hackers have set up 2 step authentication and every time I try to login the code goes to them

  • >