I’m Christine, the founder and owner of Say Front, a creative digital marketing agency serving small businesses. We specialize in social media marketing, particularly with Meta’s platforms like Facebook, Instagram, and Threads. I’ve partnered with Cosmistack on this blog post to spread awareness about the cybersecurity risks on social media and how to prevent them.
Here's how I turned a client's Meta Business Suite hack from a potential disaster into a 24-hour recovery story.
As a disclaimer, account recovery after a hack is not a service Say Front or Cosmistack provides. If you’re a client with either of us and experiences it, we can do our best to help, but this is out of our service scope and there are no guarantees. Neither Say Front or Cosmistack are affiliated with Meta, and all rights to their logos or trademarks remain the property of Meta.
Background on Meta’s Business Suite
Meta Business Suite is a centralized platform that allows businesses to manage their Facebook, Instagram, and WhatsApp accounts from a single dashboard. Instead of scrambling between platforms, you can do everything from posting content and running ads to checking your stats and responding to customers, all from one central dashboard.
In our situation, my client has a Facebook page and Instagram account, where you’ll read later on how the Instagram account helped us regain control.
How It Happened
It started with an email from Facebook about a potential copyright infringement (because we boosted a Reel with a song) to my client’s inbox, then a message through Facebook Messenger that said this:
Because they received the copyright infringement email, my client thought this message about trademark violation was related—which it was not. My client took action by clicking the link, unknowingly gave their login information, and their personal Facebook account was taken over within several hours.
I was not made aware of this until a strange email came to their inbox, in which then they informed me about what happened. This strange email said that their personal Facebook account was added to another’s Meta Business Suite account.
Later that evening, my client received an email that they were kicked out of their Meta Business Suite account. I immediately advised them to lock their credit card and enable two-factor authentication on their Instagram account. The hackers were after the ads account to run scam ads at my client's expense.
My client also had to provide documentation to Facebook to regain access to their personal account, which, according to Facebook, would take up to 48 hours. At that moment, I anticipated the worst and went to Google for help.
How to Regain Control After Getting Hacked
Luckily, we caught this fast enough, so the experience went from a nightmare to an inconvenience. We pieced together different sources of information to help us, so here’s what we did:
As I was a user with partial access to the account, we used my client’s linked Instagram account to give me full access to the Business Suite account.
Logging in through Instagram:
- 1. Go to business.facebook.com
- 2. Log in with your business’s Instagram account instead of your Facebook account.
- 3. From the Meta Business Suite homepage, locate and click the Settings gear icon in the bottom left.
- 4. Navigate to Users, then to People.
- 5. Add a trusted user (if you don’t have access to your Facebook profile anymore) or update the status of a trusted current user to Full Access.
- 6. Once you or the designated person has Full Access, regain control of the account.
From there, I countered the hacker’s actions by disconnecting any partner pages (a feature that allows you to collaborate with business you work with) and fake Instagram accounts they added.
We had some challenges with the interface when I would verify my account. I would receive the email, but the window to put into the code wouldn’t pop up. If this happens to you, try clearing your cache or restarting your browser, then try again.
Once I added my client back, our final challenge was to remove the hacker. It took some technical know-how, but we did it! We regained the account within 24 hours.
How to Protect Your Meta Business Suite
If this story made your head spin, your first line of defense is to prevent this from happening to your small business.
- 1. Always have a second user on your Meta Business Suite
- a. It can be your personal account and work account if you’re managing your account on your own
- 2. Enable two-factor authentication
- 3. Official Facebook messages will never come from a personal account
- a. Before doing anything, check the account or email it's coming from
- 4. If you feel the urgency to act, it’s a sign that it could be a scam
- 5. Always consult someone else before taking action
- a. A second pair of eyes can help determine the authenticity of the message
Although we regained control, the hiccups are nearly far from over. Remember that strange email? They did that to flag my client’s personal Facebook account as untrustworthy to Meta, and so, there was a disruption in our ability to continue our ad campaign.
Get Your Free Cyber Threat Assessment Report
At Cosmistack, we know the risks a small business can face because we’re one, too. Did you know that 91% of data breaches start with a phishing email? (Source: Deloitte)
When you protect your data, you're protecting more than your business—you're safeguarding every customer and client who's placed their trust in you. Our Cyber Threat Assessment Program gives you a clear picture of your vulnerabilities and a roadmap to protect your business. Schedule your free consultation today and take the first step toward comprehensive protection for everyone who counts on you.
