The story so far
I was toiling along nicely, having finished the endless product mockups, edited the metadata, gotten approvals from Google and Facebook Shops, and started diligently creating a business Facebook and Instagram page to accompany the Shopify website. I was ready to dip my toes in advertising. And then I made my first mistake—well, second, really, but I did not know about the first one until two days later.
This particular mistake was trivial. I accidentally selected a messaging campaign in which I asked people to message me.
There were two consistent things. The first is that the only people who responded appeared to be shop owners, who invariably, within 3-4 lines of introduction, were trying to connect me with “Their guy” on Fivver or elsewhere. I found this all a little suspect after the second and third discussions, but I let it slide, kept my guard up, and agreed to at least speak to some of these people.
I killed that campaign after a day and maybe $20 in ad spend, it turns out messaging campaigns are not cheap.
So I had a video spun up and I let it go on Instagram and Facebook and it started well but came crashing down within 36 hours.
I reached about 1500 users, of whom about 60 bothered to click and check out my store. Most people did not get past the first page but about 15-16 looked at some product pages, so I was happy. I could work with this…
I woke up Sunday morning and saw that while not impressive, I was still getting some clicks early Sunday. That is when I saw another business account with my name but some stranger's email. They appeared to be running an ad campaign and hosting the image in one of my Instagram accounts. Since I still had control of that account, I could delete that post, which crashed the ad campaign.
Upon further inspection, I saw that I had only read-only access to this ad account, I was just hacked and in for a world of hurt.
Within 2-3 hours of alerting Facebook, 2 banks (one primary and 1 backup) independently shut down transactions as fraud originating from Facebook invoices.
In short order, Facebook shut down 3 Facebook and 2 Instagram accounts. Fortunately, my personal Instagram was spared.
I contested about $600 in fraud charges to Facebook, and the banks immediately credited me while starting investigations, so thank God for that. Still, the real toll here is the time it took to restore, strengthen, get back to square one, and start some useful advertising. All told, I lost 2-3 weeks to this.
So let’s get back to the first thing.
I have had my Facebook account for about 15 years now, In my quest to restore my accounts, I discovered that I have not changed my password for Facebook in nearly 15 years.
Long enough, so the remnants of my one password to rule them all solution from 15 years ago has come back to bite me. The attack on me felt like a root-level attack, so once I was targeted, it was easy to look up any common passwords for my username on the dark web and try a few.
I do not know for a fact that the people referred to me from Nigeria and India who wanted desperately to help me with my SEO and sell me back-links and expensive templates are the ones who hacked me, but I do not rule it out.
I do not fault Facebook for not forcing me to change my password for so long, I imagine there are still people in this world who freak out at having to do 2FA and would rather abandon their accounts or managed to get themselves locked out because 2FA confuses them or scares them. For the billion or so phobic people, I get it. So for you and me it was security through obscurity for a good long time.
What bothers me is that Facebook pretty much requires that even businesses attach a real name to the account.
It seems that the price of doing business with Facebook should include forcing you to set up 2FA.
So my new life lesson. 2FA early, 2FA often.
So my next installment is an analysis of my currently ongoing ad campaign.