Feeds

Facebook deletes hacked Pages, destroying years of work

'Why won't it do what it says on the help page?'

Internet Security Threat Report 2014

Businesses and individuals using Facebook Pages are getting booted off their fanpage with no way back on, and it's costing some of them money.

Typically, the administrator tries to access the Page, only to discover that someone else has managed to get admin privileges and then deleted their admin status.

Because they are no longer an admin of the Page, they have no standing with Facebook and no way of getting rid of the usurper and are usually told by the social network that the only option they have is to report it as "infringing or violating their rights" so that it will be deleted. But for many users, this is a difficult option to swallow after months, or even years, spent building up their fanbase.

Ali Naqvi, owner and director of 123vouchercodes.co.uk, lost his Page around three months ago at great cost to his business.

"We had 6,000 fans who were genuine followers interested in our updates and clicking away. The clicks brought in about 10 to 15 per cent traffic every month," he told The Reg. "My webpage does about 50,000 unique visits a month – it's not huge, but at the same time, whatever traffic is there, 10 to 15 per cent is a big chunk of that."

After months of trying to get help from Facebook, Naqvi has resorted to starting a new Page, but it's not a solution he's happy with.

"I've actually started a new Page already, but the take-up is slow," he said. "I spent two years building the 6,000 fan base and I've just started now so it's only a couple of hundred on there. It's not the same, it's not going to bring the same amount of traffic."

Many users believed that the original creator of the Page could never be removed as administrator, as stated in its own help pages, but Facebook denies this.

A Facebook spokesperson told The Reg that original administrators could be removed, adding that this had benefits for businesses because they could delete people who had left the company.

Graham Cluley, senior technology consultant at Sophos Security, said this presented serious risks for businesses using Pages.

"I'm sure there are many people who run Facebook Pages who take the help page's word [on original creators] at face value, and believed it to be a safety net should anything ever go wrong. I certainly believed it to be true, which is why I was so surprised when I tested it for myself to find how simple it was to kick out the original admin," he said.

Without that safety net, someone outside the company could convince an administrator to give them access for marketing purposes or some other service and then take control of the Page, or any legitimate additional admins could have their computer hacked, resulting in everyone getting kicked off the Page, Cluley added.

"If you run a Page with a lot of fans that's a big problem – both for the fans (who might receive spam, malicious messages etc) and for your firm's brand," he said.

Other users who have lost their Pages have taken to the forums to vent their frustration at the lack of help from Facebook, and at the oft-quoted phrase from company that Pages "cannot be hacked".

The spokesperson also said that Facebook Pages could not be hacked and said the only way they could be taken over was if the email and password login were found out somehow, for example through phishing – which might be a little too much like splitting hairs for a lot of users.

"As long as the current administrators of a group keep their login details secure, keep their account enabled, and do not allow any suspicious people to become admins, then the group or Page will remain secure," Facebook said.

Naqvi said he had little interest in how his Page was hacked, but he wondered why, if a hacker had his Facebook login details, they hadn't taken over his profile along with his Page.

Facebook's spokesperson also said the site had a "host" of advanced tools to help people stay in control of their accounts, including login notifications, which let you save the devices you use to access your account, and "recent activity", where you can look at your recent activity and remotely close open sessions.

"Unfortunately, Facebook is not able to reinstate people as an admin for any group or page so, as always, we advise people to practice good online security," they said.

But Cluley said he didn't understand why it should be difficult for Facebook to reinstate original admins.

"After all, they presumably have a log of who originally created a page," he said.  "Even if they aren't prepared to put in a system to do that – why can't they code Facebook to do what its help pages say it will do? Either block attempts to remove the original admin, or send a request to the original admin asking if they agree to be removed from their administrator role.

"That would surely help prevent hijacks like this one taking place." ®

Beginner's guide to SSL certificates

More from The Register

next story
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.