Last week, Bookmarks [4], a literary nonprofit and bookstore located in Winston-Salem, North Carolina, had its Facebook page [5] hacked, which, as Operations Director Jamie Rogers Southern explained, “turned into quite a learning opportunity!” The hackers changed the organization’s profile and cover photos, but posted nothing offensive or malicious.

Staff discovered the problem when all of the administrators for the Facebook page received an e-mail from Facebook stating that their privileges had been revoked. After determining that the page had been hacked through the assistant manager’s personal page, it took about 24 hours (and a lot of stress) for Bookmarks to regain control of the page.

Here, Southern shares what the Bookmarks team learned.

Preventive Measures

• Make sure anybody with admin access to your page has an updated e-mail address and phone number in Facebook. In our case, the admin that was hacked had an outdated e-mail address and phone number, which made reinstating their account (and proving their ID) much more difficult.
• Set up extra security measures on your account. Get alerts about unrecognized logins so you’ll be aware if your account is used on another browser or device. Choose three to five friends (who are not page admins) to assist with the reset process if you get locked out. Use two-factor authentication, which requires you to log in with a code from your phone as well as a password.
• Clearly communicate any account changes with your staff. Make sure they know that if they receive a message that their admin privileges have been revoked to immediately check with other admins. You don’t want employees to ignore this e-mail!

If Your Page Does Get Hacked

• Immediately file a report with Facebook and have every admin on your page do the same. Identify which account has been compromised, be clear on who/what should be reinstated, and include any other details that would help Facebook assess and fix the situation. When Facebook reinstated our roles, they unfortunately only reinstated us to positions like “analyst,” which didn’t allow us to perform the necessary tasks to secure our page. We needed to be reinstated as admins to kick the hacker out! 
• Spread the word: If possible, post from your personal accounts that the store account has been hacked. This will make your followers (who hopefully follow the page) aware in case they see strange links on the page. Get employees to share on their accounts as well.
• Check your bank accounts: If the account that was hacked has a stored credit card for buying ads or fundraisers, notify your credit card company. Because we have fundraisers through Facebook, we also alerted our bank to be on the lookout for suspicious activity.

When Everything is Resolved

• Let your followers know that your account was hacked (in case they saw questionable activity) and thank them for their patience.
• Assess the damage and clean up your page. Check contact information and other profile information, pictures, posts, and messages, and delete all content related to the hack. Review your page followers and people who have liked your page to ensure that the people who hacked your page are not still associated with your account. We looked through activity for the past 24 hours and discovered several questionable profiles that had started following us in that timeframe and then banned them from our page. 

Learn more about what to do if your Facebook account is hacked [6].

Tell BTW if you have tips to share from your store! BTW welcomes all comments, suggestions, queries, and letters to the editor at [email protected] [7].