The Recent Facebook Data Breach: How eCommerce Brands Should Protect Ad Accounts

June 28th 2021
6:07:21 pm

Privacy is a massive concern in today’s world, particularly as it pertains to online activity. A big part of why privacy has become such a hot button issue is that, while companies have become increasingly invasive with the types of data they collect, those same businesses are constantly losing people’s information to malicious hackers.

That said, in completely unsurprising developments, Facebook was recently compromised once again, leading to over 530 million of its users’ names, phone numbers, locations, email addresses, and other critical information becoming jeopardized.

In a more shocking turn of events, or its implications.

As NRP details about the matter:

“According to the spokesman, the company does not have complete confidence in knowing which users would need to be notified. He also said that in deciding whether to notify users, Facebook weighed the fact that the information was publicly available and that it was not an issue that users could fix themselves.”

As distressing as this news may be to consumers and business owners alike, what is even more concerning is that this type of haphazard handling of user information seems to be something of a common occurrence for companies like Facebook, and for Facebook in particular.

Given the frequency with which these types of data breaches tend to occur, today, we will be exploring how to go about protecting Facebook Ad accounts.

However, before we dive into the details of safeguarding Facebook ad account privacy, let’s take a stroll down memory lane and examine just how many times Facebook has allowed its users’ information to be stolen by malicious actors.

A History of Facebook Data Breaches

As unfortunate as it is, Facebook has a nearly decade-long track record of high-profile data breaches. Moreover, despite never facing serious repercussions, Facebook was single-handedly responsible for the most data leaked in 2019.

With that quaint fact out of the way, here is a history of Facebook’s most notable data breaches.

2013: Six Million Users Impacted

Way back in June of 2013, Facebook uncovered a bug that allowed for the personal data of to unauthorized individuals over the course of a year.

As a result, email addresses and phone numbers were left exposed. Worse yet, anyone who knew of one piece of contact information for a person or who was connected to an impacted user could access the data.

The technical glitch began in 2012 but was not noticed until partway through 2013. The company reportedly fixed the bug and reported it to regulators and impacted users before making a public announcement.

While the size of the leak was undoubtedly significant, it would pale in comparison to the data breaches that would follow.

May 2018: 14 Million Users Impacted

Facebook gives its users access to a variety of different privacy settings for their posts and profiles. Therefore, people can share posts only with specific individuals or groups if they so choose.

However, in May of 2018, a glitch in Facebook’s system resulted in without the users’ knowledge or consent.

While the bug was only active for a handful of days and the glitch far less impactful than some of the others on this list, the private lives of 14 million people were nonetheless on display for all to see.

March 2018: 87 Million Users Impacted

In what would become one of Facebook’s most notorious and public data breaches–March of 2018–it became clear that the social media giant had mishandled its users’ information once again, allowing a shady data modeling company called through a third-party application called “thisisyourdigitallife.”

on the story:

“Facebook claims that back in 2015 Cambridge Analytica obtained Facebook user information without approval from the social network through work the company did with a University of Cambridge psychology professor named Dr. Aleksandr Kogan…. Apparently, around 270,000 people downloaded the app, which used Facebook Login and granted Kogan access to users’ geographic information, the content they had liked, and limited information about users’ friends.”

It is important to note that while Cambridge Analytica was harvesting data through Facebook since 2014, the scandal did not become public until 2018.

September 2018: 50+ Million Users Impacted

Shortly after the Cambridge Analytica scandal, Facebook had its second major data breach.

In September of 2018, it was made public that. As a result, the hackers could see everything on a user’s account.

At the same time, Facebook also announced that the third-party websites that those users logged into using their Facebook accounts were also affected by the breach.

As it turns out, the breach was rather complex, leveraging three different bugs on the social network related to the “View As” feature that enabled users to see what their profile looked like to other users based on different privacy settings.

Details of the bugs aside, Facebook later discovered that the bugs had existed since 2017.

Responding to the situation, Facebook logged 90 million users across all platforms out of their accounts and asked them to log in again and reset their passwords. Moreover, the “View As” feature was disabled for a short time.

March 2019: 600+ Million Users Impacted

Kicking off a new year, Facebook had its most significant security lapse to date in March of 2019.

While this one did not see malicious hackers steal Facebook user information or even private data leaked online, security expert Brian Krebs released a report which revealed that for at least seven years. More than that, these files were accessible and searchable by over 20,000 Facebook employees.

As Mr. Krebs wrote on the matter:

“Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers… The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.”

While the password information was not improperly used, storing passwords of the platform’s users in plain text files was a massive lapse in security that could have had a catastrophic impact on hundreds of millions of users.

April 2019: 540 Million Users Impacted

The following month, it was revealed that the records of hundreds of millions of Facebook users were sitting on a public server.

The breach was who ultimately reached out to the company hosting the server a series of times before it was secured a number of months later.

Unfortunately, it is not known how long the records were exposed or if malicious actions found the information and used it to their advantage.

After Facebook was made privy to the situation, the data was made private.

While Facebook is not directly to blame for the situation, it did nothing to quell user privacy concerns or assuage the company’s growing reputation of negligent mishandling of data.

April 2019 (Again): 1.5 Million Users Impacted

Later that same month, it was revealed that between May of 2016 and April of 2019, when they opened their accounts.

Ultimately, the company gathered information from over 1.5 million users.

It should surprise exactly zero people that Facebook was conducting this activity without the knowledge or consent of the people impacted.

As far as details are concerned, when consumers would sign up for a Facebook account, the company would ask users to verify their email address by entering their email password. As soon as users completed this task, their email contacts would be imported to Facebook.

Not only was there no way to stop this process from happening, Facebook never asked for users’ permission to do so or informed them that this form of data harvesting was taking place.

Moreover, the company profited from this shameful act by using the data to improve ad performance on its platform, as well as help build up the extremely creepy Facebook web of connections.

While the company claims that it was “unintentional” and that no one outside of Facebook had access to the information, does it really matter to people if their data is being stolen by some faceless hacker or a multi-billion dollar international tech conglomerate?

September 2019: 419 Million Users Impacted

Much like in April of that same year, in September of 2019, it was revealed that the data of 419 million Facebook users was once again sitting on an exposed server.

Each of listed on their account. In certain cases, additional information such as users’ full names, genders and locations were listed as well.

While Facebook did not own the server that the information was sitting on, it was also unclear to whom the server did belong.

Moreover, as:

“It’s unclear who pulled the information from Facebook’s systems or why, but presumably it must have been an employee to have that level of access.”

December 2019: 309 Million Users Impacted

Rounding out 2019 in good measure, it was found that the data of over 300 million users was sitting exposed on yet another database.

Once again, the unprotected Facebook user information contained unique user IDs, phone numbers and names.

The information sat on the dark web for nearly two weeks before being, who later stated that the leak was likely the result of Facebook API abuse carried out by Vietnamese hackers.

While the initial estimate of those affected by the leak was originally 267 million users, in March of 2020, it was discovered that there was, thus bringing the total to 309 million impacted users.

August 2019 (Revealed in April 2021): 533 Million Users Impacted

While Facebook’s most recent data breach occurred in the company’s most infamous year for security blunders, it was only revealed to the public in April of 2021.

At the beginning of that month, a massive amount of Facebook data began publicly circulating, exposing the personal information (including Facebook IDs, email addresses and phone numbers) of over to the entire world.

The information, which could well have been leaked in one of Facebook’s many other data breaches, was likely already out in the wild at this point. However, this does not change the fact that Facebook, yet again, failed in protecting its users’ personal data.

While Facebook initially tried to claim that the data was previously reported upon in one of the company’s 2019 leaks and that the vulnerability had since been repaired, it seems that this was not the case.

Upon closer examination, it appears that things are much more uncertain as to where the data originated. Part of the reason for this is the string of data breaches that the company experienced in 2019 and the years preceding.

While the data could have come from any one of the many, many, many high-profile security breaches the company has experienced, it, in fact, did not originate from any of these events.

Instead, the 533 million records are an entirely different data set that was siphoned off through a flaw in Facebook’s address book contacts import feature.

While Facebook says that the vulnerability has been patched, there is genuinely no way of knowing how many times this exploit was abused in the time that it existed.

Now that we are all feeling nice and anxious, let’s go ahead and explore how merchants can go about protecting Facebook Ad accounts.

Facebook Ad Account Privacy: Security Steps to Take

Given Facebook’s atrocious record of protecting Facebook Ad accounts and user information, it is critical that retailers understand how to best safeguard their data.

Therefore, it is vital for retailers to:

Understand How Hackers Access Accounts

The first step merchants must take in understanding Facebook ad account privacy is to learn how hackers break into Facebook accounts.

In reality, there are a variety of methods that online criminals utilize, such as:

  • Phishing scams: Most of us have received one of these at some point. Using this technique, retailers will receive an email from Facebook, PayPal or whatever account the hacker is trying to access. This message will direct recipients to a website that looks like the real deal but is, in reality, a fake designed to steal the recipient’s login info.
  • Malware: A similar means of breaking into a merchant’s account is to include an email attachment, such as an “invoice” for a purchase that was never made. As soon as the attachment is opened, some kind of malware is executed, stealing the recipient’s information or logging their keystrokes on their computer.
  • Data breaches: If merchants are still using the same email and password they did prior to any of the aforementioned data breaches or if it is the same login information as they use on a multitude of other websites, there is a good chance the information is out on the dark web. Once hackers get someone’s data, they utilize tools to automatically test email and password combinations on other websites, seeking to uncover additional login info.

With this understanding of how Facebook ad account privacy can be compromised, let’s take a look at how retailers can go about protecting Facebook ad accounts.

Consistently Manage Page Admins

Over time, people join companies, change roles within an organization or they might leave the business altogether.

Throughout all of these changes, retailers are likely to add new admins to their Facebook Business accounts. However, it is vital for merchants to remain diligent about removing permissions from folks if they move on to another role or company.

Improperly managed advertising accounts can end up with dozens of different admins, media managers, graphic artists, and the like.

Therefore, when speaking to protecting Facebook ad accounts, it is wise to restrict administrative privileges to a small number of trusted employees. The reason for this is that the more people who have access to the account, the harder it becomes to maintain security.

Regularly Update Passwords

This step should be pretty obvious, but the reality is that many people don’t change their passwords until their information has been stolen.

Therefore, when it comes to password hygiene, retailers should:

  • Use a unique password: When retailers use the same password for all of their online accounts, they are significantly jeopardizing their Facebook ad account privacy, as well as the security of all of their other accounts. As soon as hackers learn the password, they suddenly have access to a panoply of different platforms. Therefore, it is wise to utilize a strong and unique password for each account.
  • Be conservative with giving out password information: Merchants and account managers should only provide account passwords to those who require access to do their job. If it is not necessary for an individual to be in possession of the password, don’t supply the information and find a workaround for whatever needs to be done.
  • Update passwords frequently: As mentioned a moment ago, it is critical for retailers to change the passwords to their accounts regularly. While updating this information monthly might be an annoyance, it is far less troublesome than having a business account hacked and precious information stolen.

Require Two-Factor Identification

When setting up passwords and aiming at protecting Facebook ad accounts, it is advisable for retailers to.

While retailers cannot turn this feature on for their account admins, using Facebook Business Manager, retailers can require that people with access to the page turn the setting on for their account.

This is important as with two-factor identification, even if a seller’s account does get hacked, the information stolen will not be enough as they would also need the device to which the account is linked.

Analyze App Permissions

Thanks to app terms of service agreements that have seemingly become longer reads than War and Peace, most people have become quite accustomed to simply scrolling to the bottom and clicking “Accept,” utterly oblivious as to what personal information they have just handed over to any given company.

This is a pattern of behavior that business owners cannot engage in or by which they can abide, as this is precisely how the Cambridge Analytica scandal went down. Moreover, even if the app doesn’t have nefarious intent, it could get hacked, thereby resulting in the loss of a seller’s data and Facebook ad account privacy.

Therefore, it is critical that retailers analyze any app that they might download to establish what information is going to be collected and only grant permission to apps that the company has found to be trustworthy.

Additionally, if retailers are not okay with handing over the data that the app intends to harvest, then seek an alternative that doesn’t make such demands on users.

Implement Strong Policies and Practices

Finally, in order for sellers to be effective in protecting Facebook ad accounts, it is critical that clear and robust policies and practices are implemented company-wide.

By enforcing such policies, retailers can ensure that there is a uniform approach to who has access to various company accounts, as well as how those accounts are accessed.

That said, some practices that merchants will want to implement include:

  • Avoid friend requests from strangers: By accepting friend requests from strangers, retailers are potentially opening the door to receiving malicious messages and getting tagged in spam posts. If employees whose personal accounts are linked to the business account in some way, this could result in massive problems.
  • Clearly assign roles: As was mentioned earlier with managing admin access, retailers should limit the number of people who have access to the account so as to maintain Facebook ad account privacy. Therefore, using page roles is a great management tool. With this feature, retailers can assign roles for admin, editor, moderator, advertiser, analyst and jobs manager. Business leaders can appoint the admin, who can then set the rest of the roles as a means of reducing potential risks.
  • Create a trusted contact: If a seller does happen to lose access to their account, it is critical to have a trusted contact in place. If such an event were to occur, the chosen individual would receive a recovery code that they can send so that merchants can re-enter their account.
  • Hit trolls with the ban hammer: Across all social media, trolls exist. These folks can be annoying at best and dangerous at worst. Therefore, to help ensure that a company’s posts and ads are not negatively impacted by these kinds of posters, it is best to just block them outright.
  • Avoid potentially dangerous links: If merchants are sent a link that they do not recognize, it should not be clicked. There is no point in jeopardizing the security of a Facebook Ad account or business page, especially over something so silly. No matter if the link comes via email, Messenger or through a Facebook post, merchants should double-check all links before they are clicked.
  • Review the account: Given how frequently data breaches occur and the fact that Facebook is not aware of such problems until long after the fact, it is wise for sellers to regularly review their accounts to make sure that everything is current and correct. During such reviews, retailers should check their payment information, bidding, budget, ads, employee roles and the like.

While solid policies and procedures can go a long way in protecting Facebook ad accounts, they are no guarantee against malicious actors.

That said, let’s go ahead and take a look at what retailers should do if their Facebook Ad account were to be hacked.

What to Do If a Facebook Ad Account Is Hacked

If a merchant’s Facebook Ad account is compromised, there are a series of steps that retailers must take to regain control of the situation and re-establish security.

Those steps include:

Figure Out Which Account Was Hacked

It is important to remember that Facebook Ad accounts can only be accessed through personal Facebook accounts. Therefore, if a hacker has seized control of a retailer’s ad account, this means that the only way they could have done so is by hacking someone’s personal account that has access to the ad account.

That said, the first step in resolving the issue is to figure out which account has been hacked.

One way to potentially achieve this aim is to check the activity history on the ad account to see who were the last users to make changes. To find this information, click on the clock icon on the right-hand side of the Ads Manager. From there, set the date range and retailers will be able to see a list of all the changes made, along with who initiated the alteration.

If retailers see that there is an account creating fake ads, this is obviously the one causing the problems.

Alternatively, retailers can also navigate to the settings page of their personal account and click “Security and Login.” Here, merchants will find a section that highlights the devices and locations that have recently logged into the account.

If sellers see a login that they do not recognize, this likely means that they have been hacked.

This is a step that everyone who has access to the Facebook Ad account should take as multiple accounts could be compromised.

Remove the Hacked Account

At this point, sellers will want to remove the hacked account as quickly as possible.

This can be achieved by heading to the business page settings, clicking on “People” and clicking the trash can icon next to the ad account to remove that profile’s access.

Taking these steps should be enough to mitigate any immediate dangers of having the account compromised.

Secure the Account

At this point, retailers must secure their accounts.

Fortunately, there is a process for achieving this through Facebook. To secure the account, log in and search for “hacked.” At the top of the results, retailers should see an option to “Secure Your Account on Facebook.”

Clicking this option will take retailers to a page where Facebook will ask a series of questions to help fix the problem. Follow the prompts to secure the account.

However, in the event that merchants cannot log in to their account due to the hacker changing the password, it is still possible to secure the account by.

Inform Facebook of the Damages

In the unfortunate event that the hacker spent some of the company’s advertising budget in the time they had access to the account, it is necessary to reach out to Facebook and tell the company to avoid paying those charges.

Unfortunately, getting a hold of someone at Facebook can be rather challenging at times. If retailers have an account representative, reaching out to that person will be their best bet.

However, if this is not the case, sellers will want to go to and find the contact option.

Once merchants are able to get in touch with a Facebook rep, it is essential to inform them as to what happened so that the company can investigate further.

Final Thoughts

Given Facebook’s extensive history of data breaches and negligent security practices, protecting Facebook ad accounts should be taken very seriously by retailers and account managers.

By taking the steps outlined above, merchants can help to defend their Facebook ad account privacy and security successfully. While these measures are still not a guarantee against hacks or data breaches on Facebook’s end, these measures can go a long way to helping preserve the integrity and security of a seller’s Facebook advertising account.

That said if retailers want to ensure that their company’s Facebook campaigns and ad account security best practices are optimized for performance and preservation, reach out to.

Our team of eCommerce social media advertising pros can help you to ensure that your Facebook ad account is secure and effective in reaching the ideal consumer with messages that convert.