The Facebook account of the CEO of a highly successful marketing company was recently compromised by hackers.  Within the short span of a weekend, the hackers managed to execute ad campaigns worth more than $250,000 for their online gambling platform using the CEO’s account.  Additionally, they removed the CEO as the admin, resulting in the complete shutdown of the company’s Facebook account.

They were not insured for this kind of fraud, and they were surprised to find out that neither Facebook, their bank, nor their credit card company would reimburse them.  Facebook claimed that there was no fraud since the hacker used their valid login credentials, and Facebook is not responsible for the security of personal credentials.  Additionally, as they did not have the necessary insurance to cover the losses, they have to bear the full costs.

They not only lost $250K, but they also must rebuild their Facebook audience from scratch, a process that took them years to establish.  This whole debacle is expected to result in a loss of at least half a million dollars when everything is calculated.

In a separate occurrence, upon logging in to their account, a different company discovered that all their advertisements had been paused.  At first, they assumed it was a technical error on Facebook’s part, but soon realized that their account had been compromised.  The perpetrator not only paused their legitimate ads but also created 20 fresh ads promoting a weight-loss spam website, allocating a staggering budget of $143,000 per day, resulting in a $2.8 million total.

Due to their spending limits, the hackers wouldn’t have charged $2.8 million; however, due to the high budgets set, Facebook’s algorithms quickly started running the ads.  As quickly as they were pausing campaigns, the hackers were just as quickly enabling them again in real time, playing a frantic game of “Whac-A-Mole” until they found and removed the compromised account.

The account that was compromised belonged to a legitimate user of the account who had THEIR account hacked.  As a result, Facebook refused to reimburse the lost funds and deactivated their account, deleting all campaigns.  Luckily, they detected the hack early and took immediate action, limiting their losses to approximately $4,000.  However, their account was unable to run ads for a duration of 2 weeks, resulting in a loss of revenue.  They estimate their overall damages to be between $40,000 and $50,000.

Upon hearing these true stories, many individuals firmly believe that someone other than themselves should bear the responsibility and cover the incurred losses.  They assert, “It wasn’t our fault!”  However, the undeniable truth remains that if you allow your Facebook account – or any other online account – to be hacked due to weak or reused passwords, no multifactor authentication (MFA) enabled, inadequate email or device security measures, it is 100% YOUR FAULT when a hacker compromises your account.

Facebook is just one of the cloud applications many businesses use that can be hacked.  It’s important to note that any business using any type of cloud application, even those claiming to be secure, CAN STILL BE HACKED if the right credentials are obtained.  In the case of the Facebook incidents, the compromises were not due to a security flaw, but rather the mistake of one employee.

The BEST way to handle this is to NOT get hacked in the first place.  Here’s what you need to do to protect yourself:

  • Make sure your employees are aware of these scams by sharing this article. Cybercriminals’ #1 advantage is people’s hubris, as many businesses and individuals believe they are not at risk of being hacked and therefore do not prioritize robust cyber protections.
  • It is crucial to generate strong, unique passwords for EVERY application that you and your team log into. Utilize a reliable password management tool like Keeper to effectively manage this task, but keep in mind that IT MUST BE USED IN ORDER TO WORK.  Avoid allowing employees to store passwords in Chrome and bypass the designated password management system.
  • To enhance security, limit the number of individuals logging into an account. Grant access to those who require it and promptly remove them as users once their access is no longer needed.  The risk of a breach increases with the more users you have on a cloud application.
  • Make sure all devices connected to your network are secured against potential threats. Keylogger malware can reside on a device, enabling unauthorized access to your sensitive data and credentials.

If you haven’t had an independent third party conduct a security audit in the last 6 months, you’re due for one.  Click here to schedule a Discovery Call today, to see just how secure your organization truly is.  It’s completely free and confidential, without obligation.  Small business owners face a tsunami of threats, with the most susceptible being the ones who never “check the locks” to ensure their current IT company is doing what they should.