Protect Your Facebook Fanpage From Hackers
How To Protect Your Facebook Fanpage From Hackers
Thanks to one of our blog readers we’ve discovered a way to protect your Facebook Fanpage from being hacked. Although it does not stop the page from being hacked it will allow you to reclaim your administrator rights to the page when hackers have deleted you. It is important to make sure your page is protected in this way because it is extremely difficult to get anyone at Facebook to return the page to their rightful owners. We’ve created a video to walk you through the process:
[youtube]http://www.youtube.com/watch?v=tE5zp443lek[/youtube]
Steps To Protect Your Facebook Fanpage From Hackers
- Setup a fake profile on Facebook (use an email address that is not already used for Facebook)
- Log out of the fake account and login to your Facebook account that has administrator privileges on the page or pages that you would like to protect.
- Click the ‘Account’ Button in the upper right of the screen.
- Click on ‘Use Facebook As Page’ option.
- Click ‘Switch’ next the the Fanpage that you would like to protect.
- Click ‘Edit Page’ button on the right side of the screen.
- On the left side of the next screen click ‘Manage Admins.’
- In the ‘Specify an email address’ box enter the email of the fake account you created in step one and click ‘Save Changes.’
- Log out of Facebook and then Log in as the fake account.
- You should have received notice that you were made an admin of the fanpage.
- Under ‘Account’ at the top right corner click ‘Account Settings.’
- Under ‘My Account’ & ‘Settings’ go to Deactivate Account and click ‘deactivate.’
- Walk through the deactivation process and now your fake profile will be hidden and will not show as an administrator on the protected page.
- To reactivate the account all you have to do is login with the same email and password that you used to set up the account.
- If your Page was hacked: Reactivate fake profile, type the name of the page in the search bar, and then remove the hacker as administrator for the page. (And report them to Facebook).
- You can use your fake account to protect multiple pages, just make sure the account is deactivated to protect the page!
Original Picture Source: http://www.flickr.com/photos/erix/145191028/
THANKS for these informations!!!!!
Even after deactivating the fake account, that account is still listed and showing in the Fan Page account settings as an admin. The profile pic is no longer showing for the fake account that’s deactivated, but the info is still there and you can easily click “remove”. Don’t think I missed any steps.
Hey Jerry,
I just double checked with one of our deactivated accounts and it does not show up on any of our pages. Are you sure you deactivated the account properly?
Yes, I tried it in both MSIE and FF. When the extra account is activated, Fan Page Admin area shows account with profile pic and lists 2 admins. When extra account is deactivated, the only difference in the Fan Page Admin area is the profile pic of the extra account does not show.
It still lists the extra account as an admin and still shows 2 admins.
I tried deleting cache, cookies and logins and no change.
Thanks.
As a quick note on this, if this works well the majority of time, that means anyone who is given temporary admin status can also set up a back door to your Fan Page – not good. Thanks.
Jerry, you’ve got to give it a minute or two. After you deactivate the account the picture disappears on the wall page but still shows up with the number of admins not changing. Going to edit page, then Manage Admins will show the deactivated admin for a few minutes as well. Keep hitting refresh and the deactivated admin will disappear and the number of admins shown on the wall will decrease as well. I just ran a test on IE, Firefox, Chrome, and Safari, every browser worked correctly, it just took a minute or two for Facebook to update. Just be patient my friend.
That’s true. I guess you have to be careful who you give access to, and make sure you have a deactivated account set up for added insurance.
Must have something to do with our settings being different someplace. I tried a different extra account and got the same results.
After the extra account is deactivated (and time has elapsed), the only difference is that the profile pic is not visible when viewing the Admins for the Fan Page. The extra admin account is still visible.
Thanks for spending the time earlier to test. Not sure what the difference is, but I know that I went step by step by step through the video this time and got the same result.
But what if an attacker also make another hidden admin account? Then you should make 2 hidden accounts. And if the hacker make 2, you sould make 3, and … if the hacker make n-1 you should make n. But you won’t know how many accounts the hacker will make.
I suppose that’s true Bensendin that’s why it’s important to keep your hidden account hidden unless you absolutely have to reopen it to delete hacker admins. Then hide it again, if you’ve got a better solution we’d love to hear it…
The most of these facebook pages are victims of Cross-site script attack http://www.owasp.org/index.php/Session_hijacking_attack#Example_2 Some of their admins activated in their browser javascript link with function to add attacker’s mail into admin of the fan page. Then the attacker deleted others admin from your page. Actually it is possible because of too low level of security in facebook fan page admin management. This kind of attack is originally developed for purpose to steal SESSIONID parameter from a victim which gain access to victim’s account with live session unless the victim pushes log off button. But if the attacker change password then the account is stolen forever. So, most of domains have additional check point when you change password (on facebook account you must write old password before change and you will receive an email with notice that you changed pass and link for canceling this or you can tell facebook that you forgot pass and you need to reset pass using your login emal) or for example you must once again confirm your identity when you confirm money transfer on your online bank account. But at admin management of facebook fan pages there is no check point and it is very easy to exploit it. Of course you will always hear from facebook that hacking into facebook page isn’t possible, and it is true (so far) but here we have hacking on client side, in browser, not on facebook server.
My suggestion is:
1) two or three hidden admin accounts for your fan pages. If you have to reopen it to delete hacker admins, you have to add your old admin account and again hide your hidden account
2) every admin of fan page should have one non hidden admin account for purpose to admin fan page. This account should be without friends, without every information, with hidden email. when he/she is logged on that account, he mustn’t surf other pages, he mustn’t click on links out of his facebook admin page and he mustn’t click on a link posted of members of fan page unless hi is sure that this link are ok. He only can response and comment on members posts. If he is unsure where goes a link in a member’s post or member’s comment, he should first log out of that account, then see destinations pages of member’s links and then log on again to comment. And when he finishes administration he has to log out of that account. Also he mustn’t put and start any kind of url in url bar especially javascript, especialy something like javascript:var _0x9cbf=[“\x73\x72\x63”,”…
then, it is useful to administrate fan page from a browser only for that purpose, separated from default browser. If you use windows then you can use portable firefox only for this purpose. For linux users, you can make another firefox profile. If you are a expirianced user you can easily make this http://kb.mozillazine.org/Profile_Manager and run both firefox profile simultaneously, one with admin profile and one with default profile (processes are separated and events in your ordinary profile cannot affect your admin profile.)
And for more safety I suggest for administration to use Firefox with NoScript addon (it contains white list for domains from which is allowed to run javascript, facebook is on white list but anyway you mustn’t copy paste run javascript)
3) and of course one ordinary facebook account per admin with no rights to administrate fan page, for surfing,chatting etc… from your default browser
You should log in through encrypted connection (https://….) and valid certificate. If you use windows, it is necessary to have a antivirus which is constantly updated.
This is GREAT! Thank you for your feedback and the details you have provided. During the last 3 weeks we have been leveraging social media to help reach out to the world to see how we can all work together to fix this Facebook fan page hacking issue. It is truly amazing how much world wide traffic we have seen and the global connections we have all made. Thousands of people, from all over the world, are facing the same Facebook fan page hacking issues that we once faced.
Because of connections and contributors, it appears Facebook is quietly fixing an issue that is know has been going on for the last 30 days.
It would be great if Facebook had a developer/security submission form to immediately report illegal scripts, hacking, viruses etc.
Within 12 hours of our clients page getting hacked, Black Box Social Media, searched the internet and found hacking webiste talking about the fan page security breach. This is where our intensive investigation begun and this is when we notified Facebook. I am sure that through all the resources at Facebook someone would have done the same search once these problems started to be reported.
Nevertheless, it would be great if Facebook users could report these hacking problems, hacking articles and sites that post how to hack Facebook. Most hackers like to post their activities online to demonstrate how talented they are. So when the “bully in the school yard” brags about when they did, we can catch the problem early and fix it before it becomes a huge world wide problem.
We can not thank our readers and contributors enough. All of your feedback, advice and collaboration is deeply appreciated. It it people like you that make social media so powerful.
We will be posting shortly an update about the silent Facebook fix of this major fan page security issue.
Thank you again everyone! We STRONGLY encourage feedback and comments from all of our readers!
– Black Box Social Media Staff
We did extensive testing of this.
1-Wait at least 10 minutes between adding the phatom admin and de-activating the phantom admin account. Facebook servers seem to have some lag.
2-If you add the email of a de-activated user to a fan page AFTER that user was de-activated then it will not be a phantom admin, the user will remain visible on your admins page, but WITHOUT a picture.
Over all we recommend to add as many phantom admins as you can. The hackers know this trick too believe me, they do, I got my page pulled from under me after we got it back, luckily we had 6 phantom admins.
Facebook is a crappy platform at the moment for companies, you do not OWN your facebook fan page even though they are YOUR FANS. 😉 I think this is why they changed the become a fan to like to tell you indirectly that you do not own your fan base.
Hay Nick,
I think facebook has changed the admin flow, I got this error when I tried to add my fake account as admin….
“One or more admins could not be added. You may only add friends or people who already like this page. If you need to add a non-friend, make sure that they like the page first.”
And when my fake account liked my page and I made him admin and finally deactivated my fake account… fake account was still displaying (without picture) in manage admin page. I waited for several minutes too. :S
It seems like a ‘hidden’ policy of facebook that they do not want to make anyone a real owner of any page even if he created it … otherwise they would have not been keeping this flaw in their system … returning a page back to real owner is not a big deal, in-fact they could make a little change in functionality that any page admin should not be able to remove a original ‘creator’ of page ….. that’s simple and actually make sense! 🙂
Yeah it seems like Facebook has made some changes since all this account hacking started. Originally you could not remove the original creator of a page, but then that was changed and the problems began. One of these days they’ll get it right!
This is not working anymore because the admin’s profile name still there in the admins after closing the account
is this still working ???
the secret backdoor account still shows up ?
Will try this as have a couple of pages. I am wondering also if my main profile gets deactivated or even removed (someone keeps reporting me – even though posts are not in violation of terms or rules but have had the odd warning) is there a way to ensure that my facebook pages stay active?
I have same problem, the deactivated fake account still appear in admins list, is there any other way to protect my fanpage ???
Hello Sir, My Facebook Paege Has Been Hacked… I was The Owner Of the Page before Hacking the Page… One Of Admin Remove Me From My PAge.. And Please Help Me.. This Method is Not working For Meh… Plz Thanx In Advance….
This Is MY Page’s URL Link
https://www.facebook.com/ISLAM.The.Universal.Religion
Why deactivated accounts are still visible there, are there new policies rolling around or me as page administrator can only see it?
I need to know this since my negotiations with the hacker are close to page release.