Episode 112: Security Series #4 What to do after being Hacked

Key Highlights What to do if your personal Facebook profile

Jody Milward

Key Highlights

  • What to do if your personal Facebook profile has been hacked

  • Is it worth being Meta Verified? 

  • Why having a back up + trusted partner is your lifeline

  • What to weigh up if your business manager is hacked

  • A smart tactic to deal with a hacker’s bad pixel in your ad account

  • Why you shouldn’t delete the hacker’s ads straight away


So what do you do after you have been hacked? If the worst has happened, your accounts have been compromised, you’ve [00:01:00] sorted things out with Facebook. But now what? 

That’s what we are talking about today in this episode of Online Confidential, where I take you behind the scenes to talk about ‘Secret Ad Manager’ business.

This is the final episode in our security series, episode number four. If you’ve missed the other three episodes, run back over and watch those. 

In the first episode we spoke about personal security. So for your personal Facebook [00:01:30] account because that’s where hackers get in. They access your ad accounts and everything, because of a compromised personal profile, whether that’s yours or whether that’s maybe someone on your team whose personal profile was compromised, and so therefore the hackers got their way into your business manager, your client accounts, everything.

So making sure we have a great password. We have two-factor authentication set up. We have gone through and we’ve checked apps and removed apps that we no [00:02:00] longer have access to or want to have access to, and we’ve absolutely minimized those. 

Once we’ve gone through and protected our personal profiles then we looked at our business manager, our business accounts, and in episode two we looked at how we can best secure those.

Again, two-factor authentication. Turning that on at the business manager level so that anyone who has access to your business manager needs to personally have two factor authentication, turn on for their personal profile. 

Then looking at [00:02:30] pixels. Identifying if a rogue pixel has come in, because that’s something that we’ve seen as a common thing that happens with compromised ad accounts.

So we looked at business managers and how to secure our business manager. 

In episode three we had the amazing Irena share her story of getting hacked months ago, and still, the consequences that are coming from there, so that you can keep an eye out, stay sharp, stay attentive, learn what not to possibly do, and pick up on things fast if it seems like your account has been hacked.

What to do after you’ve been hacked

That’s what we covered in the previous episodes. But a question that often comes up from ad managers and people who have been hacked is, ‘What do I do? Should I have a new ad account? Should I start a new page? What is it that I should actually do now that everything has been compromised and I’m in this situation?’

Well, for me not having been hacked [00:03:30] personally, not having ad accounts that have been hacked, from what I’ve seen and experienced with others that have had it done, it would depend on the severity of the hack as to what actions that you would take.

If your personal profile has been compromised, this is where you know the hacker has done something to your account like put offensive content on your personal profile so Facebook has restricted you, or they may have restricted you from advertising again because of their actions. 

You need a personal profile to be on Facebook but it’s against Facebook terms to have multiple Facebook profiles, personal profiles, and it’s hard to create them because they want identity documents. They want you to prove that you are who you are. 

So you need to work with Facebook to get your personal profile in good standing again, and this may take time, it may take months because unfortunately, our little facey friend is not [00:04:30] the best when it comes to customer service and support and resolving issues.

Perhaps this is where being Meta Verified could assist this, because this is one of the things that Facebook is saying with Meta Verified. It’s supposed to help you with fake accounts being hacked, giving you this extra level of support. So hopefully if you have access to Meta Verified or have had it before you’ve been hacked, and this is where you can get it on Facebook and Instagram so that if your Facebook account is hacked, then possibly going through [00:05:00] Instagram’s Meta Verified may help to resolve this issue. No promises. Time will tell on this. 

I have heard of a couple of people who have had success with getting things restored using Meta Verified, so that could be $25 a month money well spent. So that may be an option for you if it’s around in your country and available to you at this time of recording. But otherwise, you’re going to need to just continue to work with Facebook, so be persistent.

[00:05:30] Reach out to them every day, every other day. I know it’s going to be tiring for you, but you’re going to need to get that resolved. So with your personal profile, you need to work with Facebook if it’s been restricted in some way to get it resolved. 

Get that back up and trusted partner on your Facebook account 

In the meantime though, hopefully what you’ve done is you’ve had a trusted partner who has been connected to your Facebook page or your business manager, and perhaps that’s a spouse, someone who lives at home with you, that you may be able to sit next to them [00:06:00] and access Facebook.

Having a trusted partner in the business manager so that you can still access assets, still access ad accounts if your personal profile has been restricted in some way. 

Do you need a new business manager?

When it comes to a business manager, what do you do if they got into your business manager and it’s been hacked and compromised? What do you do? Do you create a whole new business manager? 

Well, again, I would look at the severity of the attack. I appreciate that it may [00:06:30] feel icky, like your house has been broken into and it feels contaminated and you just want to start fresh. Nothing’s stopping you from doing that, except it’s quite a lot of work.

For example, if you’ve got domains and they’re verified and they’re verified owned to that business manager, multiple ad accounts, pixels, all the ad history that you have in an ad account is all sitting there. Yes, you should share the ad account. Could share the ad account over eventually, [00:07:00] but again, do you want to keep that ad manager account? That might be your question. 


It depends on the severity of it all. Hopefully you’ve gone in there and you’ve quickly resolved the issue and you caught it quickly. You got onto Facebook and things are getting resolved and you’ve gone through and made sure that the hacker is out. 

What can you do if there’s a ‘bad’ pixel in your ad account?

You’ve gone and checked the pixels so there’s no extra pixels that are in there. Go to events manager and create a custom [00:07:30] audience of the url that may have been used in the ad if they were using your pixel. That way you’ve created a custom audience of all that traffic that the hacker sent to this website and accumulated data on your pixel and then exclude them when you’re doing website traffic retargeting.

Because otherwise they’ll get caught up in your audience. At least with your targeting for a while, narrow it to the specific countries that you want to target. Make sure you don’t do worldwide. [00:08:00] You might need to tighten up your targeting and be more aware of your targeting. So for example, those website audiences might be a bit skewed for a little bit if they were using your pixel.

So you can create that custom audience to exclude that traffic for a while. Six months, and then that data will roll off of your pixel. So that’s something to consider with your business manager. 

Go to your events, settings, events manager and settings, and look [00:08:30] at the traffic approvals. We talked about it in a previous episode where you can specify a list of urls that accumulates traffic data from your pixel. This is going to help prevent other traffic coming to your site. If they are using your pixel elsewhere, then you’ll just specify these are the urls that are approved. 

It’s in traffic, event manager settings, scroll down, you’ll get to your traffic and you can specify the urls that you want to allow for traffic. This would just be your urls, maybe subdomains, like for example, I’ve got ThriveCart. I’ve got sales.jody, which is my ThriveCart subdomain with a custom domain and and I’d have and I’d have

These would be urls that I would put in the allowed list so that other websites are not sending [00:09:30] traffic. They haven’t used a pixel elsewhere. So that’s something else to consider. 

  1. Create those custom audiences, 

  2. Exclude them if they were using your pixel, 

  3. Set up those traffic sources, and 

  4. The allowed list of urls

That’s what to look for in our business manager and just making sure that they are out, that there’s no residual things. Talk with Facebook, look at the history, what’s been going on in the business manager, and make sure that’s all resolved because generally, you’re only allowed to have three business [00:10:00] managers.

So if you’ve got one that’s set up, if you’ve got all this work, and you’ve caught it all quickly, I would tend to continue to use it. Same with the ad account. You might be thinking, should I just start a new ad account? What should I do here? Again, consider the history that you may have on your ad account.

Is it possible you can still use the same account?

If you’ve been running ads for a while and a long time, and these guys have come in and for a few hours or maybe a day they’ve run some ads, the history on your account will [00:10:30] far outweigh the day’s worth of traffic that they may have generated on their ads. 

Now, if they ran ad ran ads that weren’t compliant and that has now shut down your ad account, again, you’re going to need to talk to Facebook about this to get this resolved and ideally they will resolve it for you with the ad account. Don’t delete the ads that they were running. You will need to keep them there at least until Facebook has refunded you the money for the ad spend [00:11:00] that was done through the hacked ads. Keep them there, have them turned off, of course. But just keep them there until you get the money back and the issues all resolved with Facebook, then you can feel free to delete them. 

With regards to your ad account, consider the data that you’ve got on your ad account, all the information, all the data on your pixel, and consider if it’s worthwhile because it takes a lot of work to recreate all our audiences, to recreate all our ads and our copy.

So [00:11:30] unless it’s really been messed up, I would tend to still use that same ad account. You may want to add in a new payment method. Even though technically speaking, if they’ve got admin access, they could see card details, in some way. I don’t know, these hackers are pretty sly.

I’d suggest a new payment method, get a new card, and then hook that up. [00:12:00] That may at least give you some further peace of mind. 

With regards to what do I do moving forward? Do I get rid of all this? Do I create a new business manager? Create a new ad account? Create a new pixel? Create a new page? Create a new url?

You could do all of those things. That’s a lot of work. Consider what damage was done, and how it compares to all the other assets that you have, all the other history. [00:12:30] Sure, if things have been shut down by Facebook because they were really not compliant, then talk to Facebook to get these things resolved and be aware it could be a lengthy process. 

If that is the case, and you need to run ads for clients, or if it is your own business and you need to run ads, then having that trusted partner, having other people in your business manager who can then run the ads or possibly you outsource. If you are running your own ads, for example, you might need to outsource to someone else [00:13:00] to create a new ad account and run ads for you if your personal profile can’t run the ads.

Ideally, you’ve got other people in your business manager, you’ve got that trusted partner in your business manager who you may be able to run ads on their behalf and still maintain those ads for your clients, have access to your business manager pages, all the rest of it. Business as usual, ideally.

But if things have been restricted, all you can do is talk to [00:13:30] Facebook in that situation.

So, that’s my recommendation. Look at what was done. Look at the account history, all the work, all the assets you have in place. If things aren’t restricted, then most likely it seems like you’d be good to just get up and running again.

Just make sure the hacker is locked out. You’ve done the traffic steps, allowed urls and created that custom audience of website visitors. Exclude the custom audience of that traffic and just keep going again. [00:14:00] That’s all we can do when it comes to our Facebook ads. So fingers crossed for you guys that you stay safe. Watch those passwords.

Make sure two-factor authentication is turned on, and with your two-factor authentication use the Authenticator app because SMS can be compromised as well, download some security codes as well and just stay vigilant. 

That’s it for this security series. I would love [00:14:30] to know what your thoughts were.

Just email we’d love to hear from you and hear any stories that you may have had about getting hacked so that we can spread the word and keep us safe online and using Facebook for the amazing tool that it is to be able to grow our business and connect with people around the world.


So, that’s it for today. I look forward to seeing you next time on Online Confidential.[00:15:00] 


I love to share practical information to help you improve your skills, learn something new or help you avoid the mistakes that many Ad Managers and I have made to help fast-track you on your journey as a well-paid and in-demand Ad Manager.