A Cautionary Tale of a Facebook Hack

My Facebook account was hacked.

It happens. Probably to someone you know. Maybe it’s even happened to you. So why am I telling this story on our company’s risk management blog? Because hopefully it can help you avoid the same mistakes I made.

Three months ago I was doing the usual morning run-around routine at home. I was listening to the news on my phone, checking in on my Outlook calendar to refresh myself on what the workday held, popping in on work email, then personal email and even a little scroll action on social media. Now it was time to make sure my daughter was awake and eating breakfast before the morning bus arrived. At this point of my morning routine, I never really know what else might happen.  I might shove an English muffin in my pocket and throw my phone in the toaster. The dangers of multi-tasking.

In all the melee, I noticed that I couldn’t get into my Facebook app and also vaguely noticed an email in my personal inbox associated with said Facebook account. I thought, “That’s weird. I’ll figure this out later.” And then I slammed the rest of my cold coffee and headed to work.

Fast forward to “later,” which was the same day around 10:30 or 11 a.m. I tried to get on Facebook again. I checked that mysterious email, which I noticed came into my personal email inbox in the wee hours of that morning – 3:13 a.m. to be exact – alerting me that my Facebook password was changed. Because I couldn’t get into Facebook, I asked my colleague if she could look at my page to see if there has been any odd activity. Nothing on my page, but when she looked at the ALPS Ad Center, on which I am an administrator, she noticed a new ad sitting “in process.” Strangely it was for a company selling lawn art – a markedly different product than legal malpractice insurance (although if you’d like to know more about cultivating your law practice check out Law and Gardening by one of our Claims Attorneys David Fratarcangelo).

It turns out that the hackers, using my personal account, found their way into our company’s account and attempted to run fraudulent ads on our behalf. So not only had I been hacked, but now our company’s page and Business Center, including our Ad Account, had been taken over as well. We immediately activated our company’s cybersecurity incident response procedures.

So what was the good news?

1. We were lucky in that my corporate credit card on file for our Ad Account was no longer valid. We had recently switched companies and I had not yet updated my card, so no charges were made.
2. Another one of my colleagues had an ALPS-specific Facebook profile and was able to unpublish our company Facebook page in case the hackers attempted to post something nefarious on our main page.
3. We had a protocol in place to alert our senior management team, including our I.T. Director, of what transpired and could begin pulling together an incident report.
4. We also partner with LMG Security and their founder, Sherri Davidoff, who sits on our Board, so we were able to call her and get her guidance as well that same day.
5. We quickly contained the incident by changing passwords and rolling out multifactor authentication (MFA) for our staff’s personal Facebook accounts (it’s already deployed for all of our corporate accounts).

What didn’t go so well?

1. It’s very, VERY difficult to communicate with Facebook, and realistically impossible if you no longer have access to your own Facebook account.
2. Even if you have access, which my colleague still did, the communication with Facebook was slow and confusing.
3. Our in-house counsel even penned a hard-copy letter to the Facebook Legal Department at 1 Hacker Way, Menlo Park, CA to expedite the process. Needless to say, we received no response.
4. It took almost three months for Facebook to remove the hackers from our account.
5. I am still awaiting approval (which may take up to 30 additional days) to regain admin privileges on our Ad Account with Facebook.
6. I still do not have access to my original personal Facebook account, which in many ways is fine by me but I have lost connection with friends and family and would like to regain those connections at some point.

What did I do wrong?

1. I had a weak password.
2. Not only was it weak, but it had been used on multiple other accounts.
3. I didn’t have multi-factor authentication (MFA) set up on my personal account. Even though ALPS has MFA on all corporate accounts, this was a startling reminder that employee personal account security can affect your company’s security.
4. We didn’t have multi-factor authentication set up on our Ad Account specifically. This is now a requirement of Facebook which is good news.

What can you do to avoid a similar fate for your law firm?

1. Require MFA for all accounts that relate to your firm, including employee personal accounts that can control your firm’s social media posts and pages.
2. Consider creating a corporate profile to act as the administrator on your firm’s page and Business Center accounts, if it aligns with the platform’s terms of service.
3. Create a unique password with at least 16 characters or better yet, use a password generator that can help you create unique passwords.
4. Set up a password manager for all of your work and personal accounts. Mark B. has some great suggestions on password managers here.
5. Overkill on all the security settings Facebook provides
6. Pay attention to the notifications you get from Facebook and any other online accounts, and respond quickly.
7. If your Facebook page or another social media account is hacked, have a communications plan in place to notify all admins on your social media accounts.
8. Screenshot and document all actions taken from when you discovered the breach and the steps you take to report and restore access.

Now here we are, back on Facebook. Why? Because as volatile and vulnerable as social media is, it is still an effective way to connect, communicate and hopefully help our friends in the legal profession more easily mitigate risk in their practices and to be the best lawyers they can be.