There has been a lot of good reporting and analysis in the last week or so following Facebook’s announcement that about 50 million accounts had been hacked, with the perpetrators able to gain access to a victim’s account and essentially do anything they wanted. This is just the latest in a series of incidents in the last few years to call the trust people place in the company into question, from “bugs” that always seem to err in ways that compromise user privacy to that whole Cambridge Analytica incident to the platform being used by foreign operatives to actively disseminate false information in an effort to subvert U.S. elections.
As people have said, the odds are good that 50 million number will only grow, as it always seems to do with Facebook. I wouldn’t be surprised if the final number winds up well over 100 million.
This one, though, went beyond just changing settings or not filtering out fake news. This was about account access. Specifically, it also impacted Facebook’s single sign-on tool, which allows you to sign into and up for other sites using your Facebook credentials. That’s bad, as the tool is used far and wide across the internet by companies that didn’t want to invest in their own infrastructure but just use Facebook’s because it’s easier.
One other problem hasn’t received as much attention, though, and it highlights a problem I’ve always had with Facebook. Specifically, those individuals who manage Pages for brands and companies do so through their personal Facebook account. Meaning if the account of someone who manages the Page or Pages for a company or companies was among those hacked, access was gained to whatever Pages they had access to as well.
Tying personal and professional usage together like this has never been a good idea for precisely this as well as other reasons. The security of your Page is 100% tied to the security of the profiles and accounts of those managing it. If they get hacked, the Page gets hacked. And the amount of damage someone can do with full read/write access to a brand Page is exponentially more dangerous than they can do to someone’s personal profile, including locking out all the other Page admins and managers.
Why there’s never been a change to this system is something I’ve never understood. Even if an admin on the Page engages in best practices regarding account security – everyone has to use a CMS instead of posting directly to Facebook.com, regular reviews of admin rights to clean out anyone unnecessary, etc – your Page’s security is no stronger than the weakest link among its managers.
For all the broken promises Facebook has exposed in the last several years regarding Page reach and engagement, none has yet proven to be the straw that broke the back of the corporate camel. The company has altered the deal numerous times after first promising massive reach to brands who built up their base of followers, then steadily chipped away at that, instead telling them such reach was only possible through payment. Still, the number of Facebook Pages keeps growing as brand publishers decide two percent of something is better than 100 percent of nothing.
(Side note: That’s always been a lie. You don’t *need* Facebook as a brand publisher, but the conventional wisdom eventually became that you do. Audience attention and traffic is possible without it, it just takes a little more work. Trust me on this.)
If it turns out that brands and companies wind up being impacted by this hack, though, it could be that this becomes the turning point. All it will take is a handful of companies to make a big deal about how because Jack, their PR intern who’s managing the page as part of the team he’s on, got hacked the Page fell out of their control or started posting offensive messages. That kind of story has the potential to put some wind in the sails of those who feel Facebook has grown too large and unwieldy and would like to see its power diminished.
This isn’t said out of spite, though I count myself among those who wouldn’t mind seeing Facebook taken down several dozen pegs, both for the good of society and as a warning to other tech companies that have followed in its authoritarian path.
Instead it’s merely a warning that the security of your social media content marketing isn’t what you think it may be. Facebook’s nonsensical system that makes the personal responsible for the professional has seen to that and it’s an underreported aspect of this story, though one that deserves more attention for the potential problems it may cause.
Just remember that when you, as a Page admin, allow someone else to manage that Page you’re putting the fate of the marketing program in their hands. And when you accept the invitation to manage a Page, you are becoming responsible for the security of that Page as well as your own account. Neither of those are commitments too be taken lightly.