When your facebook ad account gets hacked: Why it happens, and how to deal with it

A while ago I got a rather confusing Email by Facebook: They were not sure whether I was old enough to actually be a user. Which is quite weird, since I had been using it for 7 years, and I was 31 years by then. Did they increase their minimum age to 35 now, or what the hell happened?

They told me to send in a photo for confirmation of my age, which I figured they wanted because, well, they live on their user’s data, so why not annoy users by randomly asking for more? But it turns out that those weird notifications were only the first glimpses of what was about to come.

The next day, checking my emails, I had even more emails by Facebook in my inbox. But this time, they weren’t just random prompts for my data. Those emails told me that I have “successfully” paid the first few payments for Facebook Ads, with more to come.

With my pulse rapidly increasing, I checked everything: They looked like legitimate payment notices by Facebook, not some scam. Oh damn. But why?!

Time to investigate.

First clues about a Facebook-Hack

Years before, I had made a decision that would haunt me now: I had published my first book and figured I could try out the free 15$ advertising Facebook conveniently offered at the time. Luckily, I had set a limit to withdrawals of 35$ — probably because I didn’t fully trust the whole thing back then. That is why I now got multiple emails telling me that 35$ had been withdrawn.

On the Facebook site itself, the payment notifications fit those emails. I still had no idea why, but it seems Facebook was charging me 35$ per hour now for advertisements I never created. Neat.

At first glance I considered that Facebook might have gone rampant and advertised some of my posts without my consent on its own. But no. None of my posts were advertised.

So what exactly was I paying for?!

The Facebook-Hack reveals itself

A little while later I did find the problem: Someone must have created advertisements for someone else’s products using my account. I was supposedly advertising a so-called “Wallet one” (sort of a handbag, I think), in a language I couldn’t read or even identify. Google Translate told me it was Vietnamese, and the budget was 500$ a day.

I was very lucky that the ad had been done so badly that Facebook itself seems to have noticed that something was off here. First, it’s highly unlikely that someone living in Austria speaks Vietnamese. Second, the person who created the ad put it in an ad group called „Nuovo gruppo di inserzioni”, which is Italian. So, “luckily” for me, Facebook automatically closed my account after charging me roughly 150€.

But what to do now? How to stop the madness?

Trying to throw the Hacker out: Changing the password

Of course I instantly changed my Facebook password to something a hacker couldn’t have guessed — a new password with 30 characters. Then I activated 2-factor-authentication. This way he would have to be in possession of my phone, and if he wanted to change the number, he would have to have access to my email as well. Ha! First wall was up.

Next I tried contacting Facebook customer service. Which, as I found out, was simply impossible. There was a form to fill out if you thought you had been hacked. But if you did, they would reply that it wasn’t their business, so you would have to fill out yet another form that took you somewhere else. If you did that, they woud reply that, sadly, it wasn’t their business either, sending you back to the first group. You could also choose to interact with a very helpful bot that would try to lead you to a bunch of generic FAQ pages. None of which mention the actual problem at hand. Duh.

After a few hours of desperately trying to contact one single employee of the tens of thousands Facebook employs, I was fed up and phoned my credit card company, telling them to prevent the withdrawal of Facebooks money. If you disallow me to clear up this mess by only offering me a clueless chatbot option instead of an actual human beging, dear Facebook, then I’ll at least make sure you won’t get that money. If you want it, you’ll have to actually get in touch with me.

Next I tried to figure out how the hacker could have guessed my password. It wasn’t exactly easy to guess, even if you used a brute force algorithm that tries out all the possibilities. But then I remembered that there was a site called haveibeenpwned.com, where you could input your email and then it tells you whether your email was part of a known data breach in the past. Well, turns out my email address was in there.

But luckily, I was over the whole thing now. Or wasn’t I?

The hacker strikes back

The next morning, I was surprised to get multiple messages by Facebook telling me I had requested authentication codes. But I hadn’t tried to login during the night. Did I change something in the security settings so that I would now get a message every time I logged in? Or was it that damn hacker again, for some reason able to guess my new, 30 character strong password? How?!

Sadly, the answer was yes: He was back inside my Facebook account. I had changed my Facebook password, but it was easy for the hacker to change that back, because he also had access to my main email address that was connected to Facebook. With that, he could change the password back to whatever he wanted. Damn!

So I changed the password of my email as well, and afterwards changed the Facebook password once more. To be sure I also deleted the credit card from the Facebook account. While doing that, I was completely surprised that there was another, new credit card in there. Why on earth would someone else put an additional credit card in my account?!

Until it dawned on me:

• The language set by the hacker was Italian
• The ads were for someone in Vietnam
• There was a foreign credit card in my Facebook account

Can you also see the possible connection? If not, bear with me.

Why this type of hack (probably) exists

It’s just a guess on my part, but it would make sense to me if what happened is this:

First a hacker or hacker collective will try to hack some old websites to obtain those username-password-email lists. They’ll try to curate a list of possible Facebook accounts they can later use. If you have a big enough organization and hire the right people, that should be easy. Heck, I could probably pull that off myself.

Secondly, they collect credit cards, either by stealing them themselves or obtaining them cheaply from other thieves who have no real use for them. See, if you rob a car, for example (it happened to me and my girlfriend in Italy a few years back), it’s a good thing if you find cash or items you can sell later on (they also took my camera). But if you steal a credit card and try to buy something with it, it’s easy for others to follow your trails. So in our case they just took the cash and my camera and then threw the rest away not far from the crime scene. A thief who has just stolen a purse with a credit card inside is probably quite happy giving it away for a bit of cash to some group who works these hacks.

So when you now have a list of Facebook accounts and a bunch of credit cards that might still work, you can offer to place Facebook ads as an ad “agency” for real cheap — because it literally costs you nothing. The customer will be happy he pays less, and what does he care whether an ad was placed in his own Facebook ad account or from the one of the agency, especially if he doesn’t know or care much about technology? Of course you can also use the ad money to directly advertise stuff you want to sell yourself, or promote nice scams you intend to set up later on.

If Facebook or anyone else finds out, no problem. You still have thousands of user credentials and credit cards that should work for at least a little while, and Facebook seems to be totally oblivious that this happened not once but many times by now.

I’m guessing we’re talking of some kind of organized crime here. You need some sort of infrastructure to pull it off. And since the hacker who hacked my Facebook account placed the ads using an Italian interface instead of my German one, I would assume the organization is based in Italy, perhaps even connected to the local Mafia or something.

Interesting, right? But back to our problem.

What you can do to prevent it from happening to you — or if you are a victim already

Luckily, I don’t really use Facebook Ads myself, so in my case, I don’t care much if I cannot advertise anymore since my account has been blocked. But it still took me hours to figure the whole thing out, and it was especially annoying that Facebook never responded (except automatically disabling my account, so thanks for that at least!).

So what you can do is think about whether your password is either

• very old
• used in multiple places or
• very easy to guess

and if it is, you might want to change it now.

Since I assume not every reader can easily calculate what “easy to guess” means, I’ve written a whole article on the topic of how to choose great passwords. But the gist is: In order to make it harder to crack, you will have to crank up the number of possibilities that a potential hacker has to try. By a lot. Plus you better not use your passwords in multiple places, and change it every now and then.

The aftermath of writing this article

The original version of this article was written on my personal blog, in German language, back in 2020. Over the years, it has been one of the most clicked articles I ever wrote. That means literally thousands of clicks. Not only that, I’ve had at least 20 people email or even phone me, some even from other countries like Germany or Switzerland (I’m based in Austria). Every single one told me a similar story.

And they also told me that my lone article was the only source of information they ever found about this thing. They told me they felt weird just calling me out of the blue, but that they were desperate, so they did anyway.

For some, the problem had been much bigger than mine. Like this guy who called me from Germany: He was owning an actual ad agency, as a profession. Not only was Facebook wrongfully charging him huge amounts, in the range of 20.000€ and more. For him, being suspended from using his Facebook Ad account threatened his job. But even then, he told me, Facebook would not reply to any attempts to reach out to them.

Perhaps this is a German-language, geographically limited problem. But I figured since people are still writing/calling me every few months about this stuff even 5 years after I originally published my experiences and how I solved the problem, I figured I should probably also post this in English someday. Perhaps there’s someone else struggling that cannot search the web in German and is as lost as I was, as lost as they all were, with the situation.

Funnily enough, to this day Facebook has never reached out to me to get their money I supposedly owe them. Probably not worth it to them. Fine by me. It seems to be the same for other people affected by this, too.

So at least financially, it seems there’s something you can do: Tell your credit card company to deny the withdrawal, and do it fast. Change your passwords to ones that protects you better.

And may you never experience this in real life

Niklas

Originally published in German language at https://bunterrichten.com on October 16, 2020.

Also published in English language on Medium on March 26, 2025