This has come up a few times over the last few years, either it’s as a form of cyber bullying, taking your account from you, an automated bot that’s set to spam your friends or the more determined targeting of page administrators with the sole purpose of destroying a highly popular community page, which is what I have just been made aware of.
I have seen a number of community pages destroyed like this, they hack one of the administrator’s accounts, who then has the ability to remove all the other admin, elevate the privileges of some of his friends and trash the page, or simply remove himself leaving the page orphaned. Here’s my advice:
A first lines of defence to think about, if no-one knows who the admins of a page are (unlike groups in Facebook admins are not publicized), the hackers don’t know which accounts to hack. Secondly if you hide your email address from either the public or even your friends, that reduces the chance that they hack your email first, then use that to just do a simple “password reset” which I have seen done quite a few times, the other one I have seen is where the hacker knows enough personal details to reset the password by answering security questions, they may have acquired the information using social engineering, or simply be a family member.
To hide your email address, go to “about“ (next to timeline tab), click the “edit” on the “contact information” section, and from the little drop down choose appropriate restrictions. Hidden from timeline might be appropriate here.
The bullet proof way of securing your account, unless the hacker has control of your mobile phone is to add mobile phone security. What happens is, even if your attacker has your username and password, they cannot log in using a previously unlogged in browser without a short code sent to your mobile phone first. To achieve this, you first of all need to have added a mobile number to your account, see the instructions above (“edit” on the “contact information” section), then go to the security settings page (just under “General Settings”), and click “edit” on the “Login Approvals” section, tick the box, “requires a security code…” and save. This security settings page also has some other neat features, the “code generator” allows you to create some pre-created codes in case you don’t have access to your mobile. You can also add some “trusted contacts” that could help you recover your account in the event you lost control of it. Also you can see where your account is being logged in from right now, as well as a history of logins.
As with all security, if you are securing a Facebook page or group, security is only as strong as the weakest account who have administrator privileges. My advice would be if you are under imminent or current attack, remove all but those administrators temporarily till they get their own accounts locked down.
Facebook do have an official security page, but it is aimed at the more technically competent (geeks), they announce new security features all the time, so it’s a good one to follow.
If you come unstuck or want help in creating a safe space on Facebook let me know.