last person joined: yesterday 

Ask a question. Give advice. Share resources. Looking for software or hardware recommendations? Want to know how others are using text messaging in their work? Trying to find examples of IT policies? The NTEN Discuss forum is a great resource for all of the above and more! It's the general discussion list for the NTEN community, and folks all over the US (and the world) are sharing their questions, answers, and news about nonprofit technology.

Facebook Page Hacked

  • 1.  Facebook Page Hacked

    Posted Dec 04, 2018 11:33

    It appears our nonprofit's Facebook Business page was hacked - last night a handful of posts started appearing on our followers' timelines (completely unrelated to our typical content). We did not post them and can not locate the posts in our list of posts. The only way I was able to access them (and ultimately delete them) was to go into Notifications and see what people were commenting on.

    Our three admins are changing their passwords.

    Any suggestions?

    Not sure if the hack is over. Also not sure if changing our passwords is enough. Anything else we can do?


    Josh Okun
    Director, Digital Strategy
    Brain & Behavior Research Foundation
    New York, NY
    jokun@bbrfoundation.org OR Josh@JDODigital.com
    Tech Accelerate

  • 2.  RE: Facebook Page Hacked

    Posted Dec 04, 2018 15:19

    We seem to have figured it out. Someone added themselves as a "Partner" in our business manager. We removed them and added two-factor authentication to our logins. Hopefully this clears it up for the future.


    Now, we're adding two-factor to all of our accounts, to be safe.


    Question – how do you handle two-factor authentication (where you receive a text message code for verification) when you have multiple people managing an account like Twitter – with just one login? For example, if I set the text message to come to my cell phone and I'm out of the office, how do other staff log in?


    Any best practices out there?


    Thank you,


    Joshua D. Okun

    Director, Digital Strategy


    Brain & Behavior Research Foundation

    Tech Accelerate

  • 3.  RE: Facebook Page Hacked

    Posted Dec 04, 2018 17:43
    Edited by Lyndal Frazier-Cairns Dec 04, 2018 17:44

    Firstly, I'm so sorry to hear that. That feeling really sucks. So glad you were able to find out what happened and act quickly!

    Two-factor is a fantastic move but you're right - it doesn't always seem practical when multiple folks are handling the account, and especially when one or more of you are on the move. But if you can make it work, I think it's probably still the way to go. In the case of a Facebook page, each of your admins should have their own accounts and you should encourage/require them to have two factor. If it's Twitter or Insta, where it's only one account, you could use a third-party tool to log in - a scheduler like Buffer/Hootsuite, or a password manager like LastPass/Dashlane.

    My trick with social media accounts is to have "shell" accounts that are only for managing social media pages. Those accounts are accessed only from work devices, on workplace WiFi, and have zero friends so there's no way hackers can even get data on the admin account. My personal social media accounts are completely separate, which means I never have to worry about potentially dodgy cafe WiFi or sketchy friends trying to access my work pages.

    We at NTEN recently produced a report on nonprofit cybersecurity. It doesn't cover social media explicitly but does highlight best practices across the board.

    Tagging @Karl Hedstrom and @Leon Wilson in case they have deeper insights for you.

    Best of luck!

    Lyndal Frazier-Cairns (pronouns: she/her)
    Membership & Engagement Director, NTEN
    nten.org @NTENorg

    Tech Accelerate

  • 4.  RE: Facebook Page Hacked

    Posted Dec 04, 2018 17:49

    Much appreciated!


    Turns out the hacker might still be here... UGH!


    Thank you,


    Joshua D. Okun

    Director, Digital Strategy


    Brain & Behavior Research Foundation

    747 Third Avenue, 33rd Floor

    New York, NY 10017


    646.681.4872 | bbrfoundation.org


    We've moved. Please note our new office address.


    Tech Accelerate

  • 5.  RE: Facebook Page Hacked

    Posted Dec 05, 2018 08:43
    ​Another sometimes overlooked way to prevent social hacking is to make sure anyone who has access to the accounts who may use the apps on their phones are keeping their apps and operating systems updated on their phones. Sometimes people don't feel like waiting the 15 minutes for their phones to update or have phones that can no longer support the updates, but this makes the phones and applications susceptible to hacking

    Ariana Estes
    Web and Social Media Specialist
    Lutheran Family Services of Virginia
    Richmond, VA

    Tech Accelerate

  • 6.  RE: Facebook Page Hacked

    Posted Dec 05, 2018 09:49
    Echoing what Lyndal said, two factor authentication is definitely the way to go. I'd like to add 1Password as a fantastic password manager that can be used as an authenticator itself: https://support.1password.com/one-time-passwords/

    My organization has been using 1Password for the past 5 years, so let me know if you have any questions. I'm actually giving a talk at NTC on how to implement a password manager in an organization.

    Stephanie Henyard
    Information Technology
    Society for College and University Planning

    Tech Accelerate

  • 7.  RE: Facebook Page Hacked

    Posted Dec 05, 2018 14:17
    Josh's story sounds very similar to organization FB page hack in a wired article published yesterday 

    Dave Tinker, CFRE, FAFP

    Vice President of Advancement
    412-995-5000 Ext. 436 achieva.info

    711 Bingham St
    Pittsburgh, PA 15203


    ACHIEVA envisions a community where disability is a distinction that makes no difference.

    ACHIEVA supports and empowers individuals with disabilities and their families.


    This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is STRICTLY PROHIBITED. If you have received this message in error, please notify us immediately and destroy the related message.

    Confidentiality Notice: This electronic mail transmission is privileges and confidential and is intended only for the review of the party to whom it is addressed. If you receive this transmission in error, please immediately return it to the sender. Unintended transmission shall not constitute waiver of the attorney-client or any other privilege.

    The official registration and financial information of ACHIEVA may be obtained from the Pennsylvania Department of State by calling toll free, within Pennsylvania, 1 (800) 732-0999. Registration does not imply endorsement.

    Tech Accelerate

  • 8.  RE: Facebook Page Hacked

    Posted Dec 10, 2018 13:46
    For systems that allow the 2FA to be an authenticator code (Google Authenticator, Authy, etc.), you can store the seed  in your password database or encrypt a screenshot of the QR code, and then all staff that get access to that system are given the seed just once when they create the new account.  If you don't want them to know the seed (since it is even more sensitive than a password since it is a bigger pain to change), just ask them to hand you their phone with the Authenticator app open to the Add New Account page, and  you can scan the QR Code (and then re-encrypt it deleting original jpeg file or whatever) or enter the code manually and hand them back the phone.

    Alas, many sites still only allow SMS as the 2FA, which makes group sharing tough.


    Dan Shenk-Evans
    Director of IT
    Capital Area Food Bank
    Washington DC


    Tech Accelerate