I debated sharing this story.
It makes the main service I offer (Meta ad management) seem riskier than I’d like. But I highly value transparency, and I’d rather err toward oversharing than its opposite.
While I realize that I don’t have to tell you everything that happens behind the scenes at Two Story (like the fact that Tom sometimes writes his weekly emails lying down on a sofa with the laptop on his chest, looking strangely like Larry the Cucumber in therapy), I do want to tell you the things that 1) have an outsized impact on the marketing work I do, or 2) take up outsized space inside my head.
Last month’s hack qualifies in both categories.
So, I’ve decided to share what happened in today’s email. Here’s how my agency was hijacked to run $2,000+ worth of scam ads for women’s clothing – and what I ended up doing about it.
It started with a bang.
On June 14th, one of my clients emailed me to say that he’d seen a “suspicious ad” appear in his account.
“Suspicious” was probably an understatement. The ad looked like this:
Not a great approach for driving Spotify streams, one would think. But the ad was included in one of our Spotify conversion campaigns, and it was set to spend a daily budget of $20,000. For reference, our previous daily budget was $33.
My client immediately disabled the ad, and I immediately set about trying to find out how it had been published. I couldn’t find anything in the campaign history, and I didn’t see anything out of the ordinary in my own user data. So I didn’t take any action inside of the account, but I told my client we’d closely monitor things, and he and I both changed our Facebook passwords.
Unfortunately, later that same day, another ad was launched – this time at a daily budget of $30,000. And this time, the culprit was clear:
It had been created by a contractor on my agency team.
This was confirmed when that contractor emailed me (subject line: “URGENT”) to let me know that his personal account had been hacked and asked that I remove his access to all of our client accounts.
At this point, my heart was in my throat.
At Two Story, we run ads from inside our clients’ ad accounts using partner access. I think this is the best way to do things, because it means that our clients own all of their data and video assets when they work with us (and if / when they stop working with us, they still have everything we did, so they can use it on their own in the future).
But in this situation, our approach also meant that the hackers had access to five different ad accounts through my contractor’s profile. And I was freaking out that the hackers would find a way to take advantage of that.
I quickly went in and entirely removed the hacked profile from our business portfolio. Unfortunately, the hackers had already launched a scam ad in another client ad account. We caught this one right away, but because the daily budget was so high, it still ended up spending a couple hundred bucks before we turned it off.
At this point, I was pretty upset, but I also figured that the episode was just about over. Presumably, with the contractor profile deleted, the hackers no longer had access to our agency accounts.
And then, later that night, it happened again.
Yet another scam ad was launched in the originally hacked ad account. This time, we didn’t catch it right away (it went live in the middle of the night), so by the time it was taken down, the client had been charged over $1,000.
And to make matters worse, they got a notification from Meta that their ad account had been flagged and suspended, too.
We eventually found out that the hackers had set up automated rules to re-launch the ads at midnight every night.
(I’m still kicking myself for not checking that right away.)
Once we deleted the automations, we were finally in the clear. But we were left with a whole bunch of rubble to sort through.
I ended up refunding both hacked clients for the costs of the hack. In total across both accounts, it came out to around $2,000.
Fortunately, after a lengthy review process on Facebook’s part, the client who was more severely impacted ended up getting his ad account reinstated and his money reimbursed.
So far, my contractor hasn’t been as lucky – he was using his personal profile to run his own agency, and he lost access to it overnight (as well as a bunch of his own money). Last I heard, he was still waiting on Facebook’s review.
I guess things could’ve been worse. But still. I can’t say it’s fun to wake up and find that you’ve had a couple thousand dollars stolen from you, and I felt absolutely terrible for the impacted clients.
The episode freaked me out.
We still don’t know exactly how it happened.
Maybe my contractor’s Facebook password was posted somewhere online. Or maybe a bot was able to brute force its way in.
Or maybe he clicked one of those spam messages from somebody pretending to be Facebook support:
⬆️ If you start running ads from a page, you will inevitably get these sorts of messages.
Flag them as spam or ignore them… but whatever you do, do not click those links.
Hopefully, we can eventually find out how the hackers got access to his account. But in the meantime…
Here’s what I’ve changed going forward.
- My passwords. No more “password” for me – you better believe I’m at least adding an exclamation point. Or a comma if I’m feeling tricky.
(That’s a joke, obviously. I can be dumb, but you should know that my password was definitely not password… definitely not.)
- I’m much more judicious with user access. If you want somebody to work inside of your ad account, there’s no avoiding giving them access. But now I make sure to only give the minimal amount of access needed and to restrict access as soon as a project is done.
- I’m starting to set up automated rules against huge budget increases. Smart hackers would turn these off, but I’ve watched Home Alone, so I know that not all pernicious people are particularly smart. Sometimes, booby traps work.
Oh, and this was actually already set up, but it’s also worth mentioning:
- I’ve got 2-factor authentication turned on. Is it annoying to type in a little code every time I log into an account? Yes. Is the extra security worth it? I sure hope the answer is also yes.
So, that’s what happened and what I’m doing about it. I guess I’ll end by bringing up the obvious question…
Is this a reason not to run ads?
Ah, I don’t know. I could see an argument to that effect.
But last month, we had our debit card hacked because my wife clicked on a spam link from some hacker spoofing the post office. I don’t think I’d make an argument that just because someone can impersonate the post office means you should never send a package again – you know?
Again, for my clients, things worked out about as well as they could have; I refunded the money, and Meta reinstated the suspended account. And for my part, both clients were incredibly gracious to me throughout the process.
So, yeah, I don’t know. The world is weird, scary, and spammy. It’s good to be careful, but that doesn’t mean you need to hide all your money under your mattress or live like Adam Levine and Lonely Island in “YOLO“. Be smart.
And when that fails, be annoyingly persistent with customer support. Sometimes that works better.
