Today in Digital Marketing - EXTRA: Meta Account Security — A Discussion with Barry Hott
Episode Date: August 3, 2022In this extra episode, Tod chats with Barry Hott (https://www.barryhott.com) about Meta's platform security, and how it can affect your Business Manager, Ad Account, and much more. A must-listen, ...if you run any ads on Meta's platform.Our Sponsors:* Check out Kinsta: https://kinsta.comPrivacy & Opt-Out: https://redcircle.com/privacy
Transcript
Discussion (0)
Hello again. Yes, two episodes in one day. We are airing this extra episode today because it deals with a really serious topic that far too many digital marketers have been facing lately, security problems with their meta ad accounts. form seems particularly susceptible to hacking attacks. Attacks where someone will get into your
business manager, add themselves as an admin, get to your ad account, and start running their ads,
usually some sort of BS crypto scheme or affiliate links. But those ads are running on your credit
card or that of your client. It happens even to the top tier digital ad buyers like Barry Hot.
Barry is a highly sought after media buyer and performance growth consultant.
So Barry, welcome.
I'm sorry we're meeting under these circumstances, but tell me what happened for you.
Friday afternoon, found out that all of our accounts were shut down.
That's the first notice that I got was, hey, our account is shut down due to our accounts
being hacked. And I didn't know anything
else about it because it's accounts that I'm not really working on, at least other accounts,
but it's someone I'm helping. And I have access to the other ad accounts and I was able to go in
and find rogue spending ads in multiple ad accounts, particularly ad accounts that have been dark
for months, if not years, if not ever.
So did they remove your access then and everyone on your team?
They did not.
Very fortunately, that would have been a much bigger nightmare.
And the thing that had disabled it was apparently someone at this company flagged it to Facebook and then that shut down everything in the business.
So I guess I'm hoping that helped prevent that.
I still had business access, I guess, but the ad accounts were all deactivated.
So it doesn't seem like, I mean, it's very possible that could have been much worse and they could have had admin
access that would have removed other admins. But I don't know if that's possible. I think that is
possible through the API, but I'm not sure. But it seems like they didn't want to do that or
they haven't done it yet. They might still do that. So when this happens, you know, and there's
people mucking around in your business manager, predictably what most people do is they go to the log, the security audit trail of actions in business manager to see who did that and so on.
Did you do that? What did you find?
I did do that, and I found no discernible log of any of these new partners that were in our business. There were multiple new business managers that had access to multiple of our ad accounts that were not listed in the history
at all. So there was no log of anyone adding those people. I could see that we had added
some people in the past, but I don't think any of those people that were added were any of the nefarious
like admin users, which leads me to believe that this was a API based attack, which also
is something relates to like, I've heard other stories of people not understanding how this
was happening or being able to see like there were no other users in there. So knowing that,
you know, in reviewing the documentation for Facebook's API for Business Manager,
that this is possible and easy to do. This is terrifying. Am I overstating that?
I think it's terrifying. I mean, I'm witnessing it. I have a front row seat. And either I'm having an issue with the history not exporting properly, or the history isn't logged properly. Or what what happens is if you are a business manager admin and you make a change, like for instance, inviting a partner to your Meta business account or adding an employee, all that shows up on that log so that you can review.
So who gave Sarah access?
Right.
You can check it because that didn't exist or you went to the log.
But but the changes that let people in were phantom.
They weren't there on the log. Your theory is that perhaps hackers have now figured out how to do that through some kind of backdoor like the API, which I wasn't even aware, to be honest, that there was an API for adding and removing people in Business Manager.
I thought that was all on the desktop side.
Yeah, I mean, it makes sense when you think about the large scale SaaS, right?
Like I think like Sprinklr and other programs that are built to handle this stuff for businesses.
So it makes sense that there is API for this.
But it's terrifying because the thing I find terrifying about this is that someone, a hacker, and I hate to give people the ideas for this, but could build a script that effectively, once it senses it has access to a business, it can literally just launch and immediately grant access to multiple other businesses.
Immediately.
Like, just via code.
Automatically.
So that's terrifying. The scarier part that
happened here happens to be that we don't have a trace of it. That's the like bigger part.
So there's a lot of confounding, conflating factors here, but not being able to see in the
log. And I tested it, like I removed someone else's access and it showed up in the log.
Yeah. You did it not through the API.
You did it on the desktop side.
Correct.
Correct.
So something's missing.
So that was Friday.
What's happened since then?
Since then, we, over the weekend, like found more stuff that Facebook, like literally Saturday,
Facebook responded that they had caught and fixed, resolved the situation.
Everything was fine. And like, I saw that and like, I was like resolved the situation. Everything was fine.
And like, I saw that and like, it was like, okay, let me double check. And I found a couple
accounts that weren't accounted for that our team hadn't reported. Cause we hadn't,
whoever had reported didn't like see all the ad accounts and like, or check all the ad accounts
that were possible. So I've still found some rogue ones and either the partner
businesses that were removed were re-added because I didn't check myself or they still remained.
So I could see that stuff was reactivated in those accounts. Some of the ad accounts were
completely shut off by Facebook, but some of the accounts were left on and the ads that were turned off were just
simply turned back on. And I found stuff that was still on and I turned it off and lowered the
budget. And when you say stuff, you mean these ads that the hackers placed?
Ad sets, rogue ads, rogue ad sets. So fortunately, in this case, it was very easy to spot.
It was a duplicated, in most of them, it was a duplicated
campaign of an existing campaign, and a duplicated ad set. So it looked normal, right? Everything was
named normal, but then the ad within it was not normal. So it's pretty hard to spot. And the only
ones that were easier to spot were the accounts that didn't have anything in them. So it was really, you know, just one
campaign that was live. But all of those, like, it was scary knowing that I could turn it off right
now. And in 15 seconds, either another human somewhere else, or an automated system could
just reactivate it. And that's typical of what they'll do is they'll duplicate it so that it
keeps the same name, which means that it's easier to look past. They that's typical of what they'll do is they'll duplicate it so that it keeps the same name,
which means that it's easier to look past.
They also, by the way,
will do that to users.
If they add users to your business admin,
they'll use the same name
or a slight variation of it.
So you weren't able to see necessarily
when people were added to business manager,
but when ads change,
there is a separate audit log as well for the ads.
Could you see anything in there?
Yes, so we definitely can see that. We cannot see who did it because there's a weird separate issue
with Facebook now. We're really in the weeds where if I'm in business A and someone makes a
change from business B, the name of that person in business B is not visible to me. So I cannot see
the name of the person see the name of the person
or the name of the business that made that change.
Is that a bug?
I feel that you used to be able to see the partner
that did the change.
I don't think you could ever see the human being
at the agency or the partner,
but I feel like you could see the partner before.
I do think it's a bug.
I also think that the activity log,
which I'm sure the audience listening to this,
if anyone's listening to this
part, no one's used. This is like such a small tool that is only used in emergency situations.
And I've literally had to, there were times when Facebook has removed the activity log and I was
like, hey, I've had to talk to Facebook engineers and be like, hey, you can't remove this. I understand that.
I'm sure the usage is like a percent of a percent, but it's only used in event of emergencies
for the most part.
Like you, you don't look at that.
I've joked before that if Facebook were a cruise line, they would eliminate the life
boats because they're like, well, we don't use them 99.999% of the time,
right? Like, but you'd still need to have them there in case of emergency. So that like, that's
terrifying to me that I don't know who's responsible for owning that product or updating
it or really thinking about the implications or use of it. And I don't think that they,
there's always been complications with business manager relations.
It's not the smoothest thing that Meta or Facebook
has ever built or fixed.
Do you have business insurance?
If not, how would you pay to recover from a cyber attack,
fire damage, theft, or a lawsuit?
No business or profession is risk-free.
Without insurance, your assets are at
risk from major financial losses, data breaches, and natural disasters. Get customized coverage
today starting at $19 per month at zensurance.com. Be protected. Be Zen.
And it is, I mean, to be fair, I give a lot of shade to Meta on this podcast, but to be fair, I give a lot of shade to meta on this podcast, but to be fair, it is a monstrously
large system with tentacles everywhere. So I can imagine. And impressive. Very impressive when it
works. And then, of course, the exit of Sheryl Sandberg and, you know, three or four separate
executives on the ad side, senior people in the last couple of months, it's probably not helped
things in terms of focus. Barry,
if someone wakes up one morning and they discover that someone or something in this case has hacked into their business manager account and is starting to run ads, what should they do in your experience?
First things first, dive into any logs that you can. That's what I would do first.
Actually, first things first, shut anything off that looks
wrong. Um, and do whatever you can to try and prevent it from easily being reactivated.
So if the budget is $50,000 a day, turn it down to one, turn it off, turn the campaign,
turn the ad set, turn the ad off. Even if those can easily be readjusted, at least that, you know,
you're saving yourself some time and you can, why not delete them? Um, for evidence purposes, I don't, you know, I agree with you.
Um, my, I, a lot of people like, I don't think that's a bad step to delete them. I think that
might be a good practice, might be a better practice, but I really don't want to risk losing some important nugget of data. It shouldn't go away if you delete
it, but it's, it's scary. So like, that's, I just don't trust. I just unfortunately don't trust the
system to handle for that well. So yeah. And also like, look, I can't guarantee this. I can tell
you that in this situation, meta is covering all of the losses. And when I, I want't guarantee this. I can tell you that in this situation, Meta is covering all of the losses.
And I want to point out,
first of all, I can't mention who this is happening to or whatever.
And I'm not really under NDA on this for Meta.
But this is hundreds of thousands of dollars.
Hundreds of thousands of dollars.
And what's scarier to me is the probably thousands or if not millions of impressions that are being shown in clicks that are being gotten by these nefarious businesses selling probably illegal or just completely scamming for credit card information.
The ads that they placed, I'm curious, what were they for?
Was it crypto?
It was for, the ones I saw were for like,
lose weight quickly, like gummies.
Yeah.
It feels to me that no one at Meta seems to be putting a big priority on this.
Am I wrong there?
That's what I see.
And it's really frustrating to me.
It seems that there's no one incentivized to get this out off of their plate
as quickly as possible and just move on to the next thing they're not really incentivized as
far as i understand you know as an outsider looking in um they're not really incentivized
to prevent this or look into the bigger problem here they're just incentivized to prevent this or look into the bigger problem here. They're just incentivized
to like fix this one issue for this client, assume that this brand screwed up and gave away access
and move on to the next thing. I don't think they're looking at the bigger issue, except I will
say the engineers who I've relayed this info to directly seem to take this very seriously.
I got a message personally from someone who flagged this and they said that they're looking into it and like did not understand the scope of some of this, which I thought was interesting and terrifying.
I have to say, it seems like some of this stuff could be really easily solved.
And I'll tell you one example.
A very common way that hackers are getting into accounts is by sending a private message to a brand page. The account from which they send it
looks kind of meta-ish. It has meta's logo. It'll say meta privacy or meta enforcement,
or sometimes it'll say page enforcement team. And it'll talk about, you know,
there's a copyright strike against you or someone's made a report and will take down your page in 48 hours unless you respond there's a link often that link is on a facebook.com
domain because they can figure out a way to sort of redirect it and those people who click that are
believe that they are logging into facebook and even if you have two-factor authentication on the
tops that the time-oriented password though you know the six-digit code, you can be tricked
into giving them, the hacker,
that six-digit code. And literally
within 30 seconds, as soon as they get it,
they've got a window of whatever that is,
30 seconds to log in, and that's how they get it.
And here's how I think they can fix that.
That's how a lot of these hackers
are getting in. Why don't they
just do a text search
inside private messages for strings
that are always used with this thing? Like, your page will be deleted if, and then variations of
that. You know, if they've got AI that can make, you know, you type in banana Polaroid and it'll
come up with an image, you'd think their AI could figure that out. Again, it goes back to incentives.
This is a small problem that no one is incentivized to fix or solve at Meta.
It's just not worth their time.
It's, again, ruthless prioritization.
This isn't a big enough problem for any person to be dedicated to or think about or put AI into, right? Like there's the, you know, everyone at Meta wants to like
build something new and cool and sexy. Like nobody wants to fix things. There's not sexy. There's no,
there's no fame in fixing things. So that's what you see a lot of. I also, you know, like it's
very possible that some of these apps could be lying dormant with access to your business for months or years or lying dormant in someone's account that you just added to your business.
And then suddenly you add them, and if they have admin access, that app can now have access to your
whole business. There is a way to check what what apps are on your attached to your meta account.
And here, unfortunately, I think there's a couple of places where that list exists. But here is one
if you're looking for it. Face is a bit of a long URL, but this will take you right to that screen. Facebook.com slash settings, question mark, tab, that's T-A-B, the equal sign,
applications, then the ampersand sign, R-E-F equals settings. And I'm sorry that it's that long,
but that will take you directly to the page. You can review, show you which which apps uh are on there we actually do that once uh once a month i think where we go through every single you know pinterest twitter
tiktok all of those accounts to see what has access still and you know often it'll be like an
i don't know like an ad optimization tool that you wanted to try out and you tried it out didn't
really work out you didn't like it or whatever and then you forgot that it still has its hooks into your, you know, it's like the Demogorgon on Stranger Things, right?
Maybe we'll talk another time about how there are tons of apps that can just, even if you don't have admin access, even if you just have analyst access, there are many apps that can do that just to pull data from all of your ad accounts
secretly in the background. And if you own a business, you wouldn't even know. And it's very
possible that there are very large and very important publicly traded companies that people
are stealing data from easily through the API, because there is no way that if you own a business, you can know what apps
have access to your business through each individual user. That is how the ecosystem is
set up. And it is horrific. That is a good point. Have you thought about that? No, I hadn't. I
hadn't really. And that's a good point because the URL that I gave, I believe, is what your
personal account has access to.
Correct.
Yes, outside.
Oh, my gosh.
Yeah, I'm going to need either more time or a bottle of gin to handle the rest of it.
I know, right?
Barry, thank you for this.
My pleasure.
Barry Hott.
You can learn more about what Barry does at his website, B-A-R-R-Y-H-O-T-T dot com.
Barry truly is one of the top tier in the meta buying space right now.
You would be lucky to have him on your team.
We are back tomorrow with a regular episode.
See you then.