Posted on November 17th, 2020
Aimclear recently had the opportunity to help out a local business that was having an issue with unauthorized access to their Facebook page.
The basic timeline of the breach was:
- [Owner]’s Facebook account was breached
- Hacker added themself as an admin of [Company] business manager
- Hacker posted spam as Owner, resulting in [Owner]’s account being suspended
- Hacker continued to create spam posts for [Company] page
- [Co-owner] had access to [Company] page as administrator outside of Business Manager
- [Owner] created new FB profile and was added an admin to [Company] by [Co-Owner]
- [Owner] and [Co-Owner] were able to post to [Company] page and delete spam posts as they appeared, but could not do anything else preventatively
Understandably, the owners of this business were frustrated and at a loss of what to do. The final resolution was for [Owner] to dispute his account suspension, and then remove all unauthorized parties from the [Company] Business Manager as soon as he regained access.
The issue was solved, but caused a great deal of trouble. Many businesses don’t have the resources to have a dedicated IT staff – which may have been able to mitigate this risk. Lucky for you, we have some great tips on preventing this type of breach and protecting your assets.
Use Multi-factor Authentication
Multi-factor (also called two-factor) authentication (MFA or 2FA) requires a user to provide multiple things to be able to log in. The most common way to do that is with a password and a code that is either sent via Email, SMS, or an app. This will protect your account from password breaches as anyone attempting to login would only have 1 factor.
My go-to for authentication apps is Authy. It’s free and offers the ability to save your authentication tokens so that you can recover them when switching phones. You can also access them from the desktop, so if you leave your phone at home (or it’s just slightly out of reach, no judgement) you can pop open the app on your Mac/PC and still have everything you need.
MFA is becoming more ubiquitous each day – TwoFactorAuth offers a great resource, showing you what sites use it and linking to the instructions for most.
Limit Admin Rights
Yes, I know it is easiest to give everyone full access instead of trying to decide how much to give and then sometimes adjusting it later. BUT, it’s also a bad idea. In IT we use the “Least Privilege Model,” which gives everyone the least amount of access needed to do their job.
For example, in Facebook, not all employees need admin access to a page. Cutting down on the number of admins you have will greatly reduce the number of attack vectors you have.
Consider Logins and Role Delegation
This goes hand-in-hand with the three previous points – it’s nearly impossible to accurately know who has access to properties when everyone uses the same login. Many marketing and social sites offer team features that allow you to give users access to your information (and set varied permission levels): Organic Twitter has Teams (accessible via TweetDeck), paid Twitter has multi-user login, Google Ads has My Client Center, Bing Ads has agencies, Google Analytics has user management, Facebook has business manager, Gmail offers account delegation… the list goes on.
Use a Password manager
Unfortunately, you likely have at least one site or profile that does not have multi-user options (such as reddit). In these cases you have two main options:
- Share the login information using a secure platform, like encrypted email, a phone call, or a service like quickforget.com.
- Use a password management service that allows sharing, such as LastPass, BitWarden, or the unfortunately named KeePass.
The major boon of a password manager is that you can reduce the number of passwords you need to remember down to a single master one. Most managers are also able to securely store other info as well, such credit cards, server log-ons, and wifi keys.
Check Connected Apps
Facebook has scaled back available permissions to third parties post Cambridge Analytica, but that doesn’t mean everything left is safe. Apps can be hacked or go rogue and there is no reason to offer free access to parties that don’t need it. Regularly browse Facebook’s Apps & Website area and revoke permissions from properties that you aren’t actively engaged with. Business Integrations is the other spot that connections may be lurking.
When you are no longer working with a client, employee, or vendor have a protocol in place to ensure they no longer have access to your systems. This can be a simple checklist to follow that lists your properties or spaces where these users might have access.
Conduct Periodical Audits
Every so often (depending on how often things change and how many people have the ability to change them) run a quick audit of your systems to ensure users have the correct access and there is no one remaining who no longer needs it. This is especially important on properties where you have multiple admins.
This is by no means an exhaustive list, but hits the primary spots to secure. Yes, it’s less convenient than having all of your passwords set to “hunter2” and shared among everyone, but it will save many hours of headache down the road.
As for the aforementioned company we were assisting – they have already implemented many of these points.