I recently had the unpleasant experience of discovering that someone had hacked my facebook advertisers account and set up an ad to spend £1200 per day! Here’s what I did about it, and the response I got back from Facebook.
It’s your worst online nightmare. Someone with bad intentions getting into your accounts.
I’ve been online since the beginning of time (OK, about ’96) and to be fair, this is the first time anything like this has happened to me. It feels truly horrible.
In the immediate aftermath of dealing with it as best as I could, I looked to the Web for stories about hacked facebook accounts, looking for reassurance that my case would probably be resolved.
Scarily, it was difficult to find much! There was one thread on a community forum inside facebook where someone had posed a similar question, but the lack of response was worrying…
So I decided to write up my experience in the hope that if it’s just happened to you, and your Facebook ads account has just been hacked, you might find this post and be reassured. I’ll also include some tips from any “lessons learned” along the way.
My Facebook Ads account got hacked
I’m not a huge facebook advertiser. My entire history is limited to a handful of campaigns, and only ever spending small amounts (less than £20). Just dabbling, really.
At the time my ads account got hacked, I had no ads of my own running, and the last one I ran was about three weeks prior.
The first sign my fb ads account had been hacked
I received an email from PayPal informing me that Facebook had taken payment for the sum of about £22. This was late Friday afternoon.
I remember thinking that it seemed slightly strange, but assumed it was for the previous run of promoted posts I’d ran a few weeks prior. The amount seemed about right, if a little higher than the limit I had probably set.
I thought little more of it.
Within a half hour, I’d received another email from PayPal, and guess who had taken more money? Yep, Facebook of course, and this time they had taken a further £42.
Ok, alarm bells. Something is not right.
There are probably phishing scams out there too, so don’t click on any links in the email. Open a new browser window and go direct to Facebook from your address bar.
The shock discovery in my Facebook Ads account.
When I logged in to Advert Manager, I could see the evidence of the two recent bills. I could also see that there was an “outstanding balance” of over £100!
Most shockingly, there was an advert running that I did not recognise, and that I certainly had not created. Hideously, it was set up to spend up to £1200 per day, and had already breezed through just over £168.
I nearly died.
My Facebook Ads account had been hacked!
My first priority was to deactivate the ad so that it didn’t continue to burn through the budget. If I did nothing, this sucker was going to drain me of £1200.
In my state of mild panic, I couldn’t immediately remember how to turn an advert off! I clicked into the ad and saw that I could limit the daily spend, so I knocked that down to just £5.
Looking at the overview again, I remembered the obvious slider switches that allowed me to deactivate the ad.
Phew, it was off.
But how had someone accessed my account?
I have absolutely no idea, but my first action after shutting the ad down was to change my password. If someone out there had somehow accessed my account with my password, I needed to change it ASAP.
Fb will make you change it again after you’ve reported the issue, but you need to do it at this point for immediate protection.
While you’re changing your password you can also opt in to get notified every time your account is accessed from a new source. This could help you in future, so say yes.
Onward. With damage limitation in place, the next step was to address how I could get my money back.
Reporting a hacked ad account to facebook.
This wasn’t terribly easy or intuitive. I’m happy to conduct most interactions online and fully understand the “channel shift” ethos within a professional customer services setting.
But sometimes you just need to speak to a real person, don’t you?
Let’s face it, when this happens to you, you have been robbed. It’s a personal violation and it’s very unnerving. You want to make sure that you’re taking the appropriate steps and to be reassured that it will all be sorted out.
To speak to someone at Facebook would be very helpful.
Forget it – this is not going to happen.
You won’t get to speak to anyone at Facebook.
It turns out that there are various ways and multiple forms that you can use to alert Facebook about a hacked ads account.
I ended up submitting my case via two different forms that both seemed appropriate. Reflecting back, I think either form would have resulted in the same outcome, so it probably doesn’t matter which one you use. Just report it.
Use this form to report your hacked fb ads account. As you select options, new sections of the form will appear.
Tip: supply all the info that’s requested and write a concise account to help the fb staff.
After submitting your enquiry, you get a message saying they’ll look into it and be in touch. The forms I used suggested a likely response time of 1 working day. (It took longer)
I phoned PayPal.
The great thing about PayPal in this situation is that you can phone them and actually speak to a person!
After explaining the situation, PayPal explained that I would need to contact Facebook regarding the refunds of the two amounts taken.
This felt like a good safety net, in terms of damage limitation, and in a situation where fb might not respond to help requests, I’d certainly have their attention if they were failing to collect payments they thought were due.
How long did Facebook take to reply?
I got my reply after three working days (on Wednesday afternoon, so I’d actually gone FIVE days between the incident, and hearing from fb.
This felt like quite a long time to wait and one wonders how much quicker they might be if they refined the process so that people didn’t feel the need to submit their help requests several times via different forms because it’s so messy and unclear.
How Facebook responded to my hacked ad account.
I’m pleased to be able to say that Facebook acknowledged that my account had “been compromised” and that they then refunded the two amounts that I had been charged via PayPal.
But it was frustrating to log in and discover that the “outstanding balance” of just over £100 was still there!
So it’s was necessary to start over with a new form, re-tell the story all over again and request that they scrub the outstanding balance.
Another three days later, I received an email saying it had been done, and apologies for the inconvenience.
Actually, one positive part of this process is that when you do get a reply from fb, you can just email them back and continue the thread of conversation if necessary. It’s not just a “no-reply” address.
One final annoyance.
For some reason, despite being able to deactivate the rogue ad, I was not able to edit or delete it.
It didn’t feel great to have it sitting there in my account. I replied my guy (whose name was actually Guy!) and he seemed to tweak something and eventually I was able to delete it.
Confidence restored in my facebook ads account?
Hmm, that’s a tricky one.
Yes, I am pleased with the outcome. I got the refund and they cancelled the charges, as it was plainly obvious that the ad was created by someone other than myself, to promote something that was nothing to do with me.
But I am now more cautious. I still have no idea how the breach occurred.
Final tips on securing your facebook ads account
There are a couple of additional precautions you can take that might help protect your account in the event of it being compromised.
Set up security alerts (login alerts)
You can be notified if your fb account is accessed from a new device. These are called Login Alerts and you can access them via the Security menu.
Put limits on your Ads account
You can edit your billing threshold and your spending limit, within your ads account.
This could help reduce the damage of a rogue ad. Even if the hackers changed these settings, the system should notify you about the change, so that in itself would be a useful warning to investigate your account.
I hope that most fb advertisers will never need to read this article.
But if you have ended up here, I’m assuming that you have also been hacked, and I hope that the post provided you with a) some reassurance that you are likely to recover the charges and b) some helpful advice to help keep your account secure in future.
Was your fb ads account hacked?
Did you get the money back?
Please share your story in the comments!