How CX (briefly) funded Islamic terrorism

This is a warning to anyone who uses Facebook and Instagram’s parent company Meta to run ads promoting their business, and we know that’s a lot of you, as we see in our social feeds.

I awoke as normal last Wednesday and began to put together this very newsletter. Going through my email to check up on breaking news, I noticed some security warnings from Meta. I’d been added and then removed as an admin for a Facebook Page I’d never heard of. A few emails down, I saw the dreaded email that my password had been changed, while I was asleep, from somewhere in The Netherlands. Oh-oh.

I tried to log in to Facebook and was indeed locked out. I then got a warning that my page (I assumed CX) was about to be deleted due to ‘breaching community guidelines’. This was not good. I started the ‘recover my account’ process with a sinking feeling similar to the time last Septemeber when we lost our Instagram page the same way. I couldn’t recover my account as I apparently used a third-party authenticator app that I don’t remember having and that they don’t support anymore anyway.

This lead to a torturous process of uploading a copy of my driver’s license and waiting 48 hours. In the meantime, my trusty web assistant assured me that CX’s page was functioning normally and he could still post to it, so there was that.

Two days later, as promised, my ID was verified and I was allowed back into Facebook. I changed my password, and was immediately informed of mutliple restrictions on my account due to ‘breaches of community guidelines’ and invited to review these posts to see what I’d done wrong. A click through, and I was confronted by hardcore Islamic extremist propaganda – armed jihadis, paramilitary stuff, ISIL flags. It was quite disturbing. I was also informed that my ads had been shut down.

Now, we’re currently running two ad campaigns on Meta; one promoting our subscriber giveaway competition in partnership with Jands (which you really should enter), and an Austrian Audio mic giveaway competition (which you should also enter!). Nothing controversial there. Then I found six extra ads charged to our account, and another six attempts blocked. In all, the hackers had rung up around $6000 in ad spend, and it was all coming off the CX credit card. A check of the bank account showed it was all going through, too.

A panicked half an hour ensued trying to figure out how to contact a human at Meta. This is not easy, as you would imagine. We eventually got through via an online form, then were contacted on Messenger. Turns out Meta are a little sensitive about accidentally enabling the promotion of terrorism. We were almost immediately ensured that our money will be refunded in three to five days. We’re still waiting, but I’m not concerned.

What’s really irritating about this is that about six months ago, I transitioned to using a password manager to secure my entire online footprint. I changed about 180 passwords over two weeks. I don’t know any of them now; Google Chrome’s built in password manager handles it all for me. The only one I didn’t change was my Facebook password because three Facebook Pages and two Instagram accounts are linked to it, and Meta’s back-end is awful. I was pretty sure the email I use to log in and the password associated with it had never been used together, and that they’d never been leaked. I was wrong.

So, use a password manager, enable two factor authentication, and limit the amount of people in your organisation that have access to your Meta ads account. I think we got our swift response due to the extrame nature of our hacker’s activities, but I don’t like your chances if someone uses your ads account for something more benign.