Lost and Found Again: The Story of our Facebook Hack

As many are now aware, we lost control of our facebook fan page from Sunday, May 14th to Wednesday, May 24th due to malicious hacking. We took immediate steps to contact Facebook, and the affected account and page were suspended while Facebook investigated. While no other Sit With Me accounts were impacted, we lost our primary method of communicating with our supporters.

We were relieved to announce that we have regained control of our facebook fan page. We have also taken steps to review and strengthen our security across all platforms, and we encourage our supporters to do the same. Read on for more information.

What happened?

On Sunday, May 14th, at approximately 1:30 am, we lost control of our facebook fan page.

One of our board members had multiple accounts hacked, including their personal facebook and their primary email. This hacker changed the password and account information, which prevented our board member from accessing their accounts. Subsequent efforts to verify and regain the account failed.

Unfortunately, the compromised account also had administrative control of our facebook fan page. Facebook allows any administrator to remove any other administrator, including the page creator. Using the hacked account, the hacker proceeded to remove all other administrators and editors of the page. Facebook has no mechanism to confirm or undo these actions, meaning that we immediately lost control of our page. We were no longer able post, view and respond to messages, promote events, contact followers, or otherwise use the page. We were on the outside looking in.

We took immediate steps to report the incident to Facebook. They responded by suspending the hacked personal account pending investigation. Generally, Facebook has a blanket policy of not interfering in what they call “admin disputes,” meaning that they would not grant us access to our fan page. On learning this, we went to the local media to put pressure on Facebook to respond to the incident. Our page was also briefly suspended during the investigation.

On Wednesday, May 24th, a week and a half after the initial incident, Facebook concluded their investigation, restored all administrators, and we regained access to our page. We are so grateful to Facebook for restoring our fan page, to CBC Ottawa and the Ottawa Citizen for reporting on this incident, to Kelly, Jaime, and Rebecca at Impetus Consulting as well as Melanie Nabert for their invaluable advice and expertise in responding to this incident, and of course to all our loyal fans and supporters for sharing the news and helping our voice be heard when our platform was so abruptly taken away.

Is my account affected?

The compromised account was a personal account. The Sit With Me website, email, twitter, and instagram accounts were not affected. We have taken precautionary steps to further secure our accounts. Only our facebook fan page was affected. All administrators and editors were required to secure their accounts in order to verify their identity.

The hacker’s account was suspended within 12 hours of removing our administrators. They did not publish any posts to the page, and during the 10 days that we were locked out, we believe they were also locked out. We have reviewed the activity during this time and have found no malicious actions beyond removing our administrators.

It is important to note that in the 12 hours the hacker had access to our page, they would have had access to any messages sent to us through Facebook Messenger. Though we have no reason to believe they accessed these messages or made use of this information, we also cannot rule it out. If you corresponded with our page using Facebook Messenger you should be aware that the content of those messages could be compromised. For this reason, we never recommend providing sensitive information such as passwords over an unsecured platform such as Facebook Messenger.

What about the dogs?

Normal operations continued uninterrupted. We did not pause in our daily work of pulling dogs in need from local shelters, placing them in loving foster homes, and searching for the right forever home. We have strong networks of volunteers who use other channels to communicate and continued their work more or less unaffected.

The biggest impact was on our ability to communicate with the public, especially in the vital areas of finding new foster and adoptive homes, as well as promoting events and fundraising. Our facebook fan page was our main method of communicating with our supporters. And our work cannot happen without your support.

We took immediate steps to activate alternative channels of communication and were working in the background to rebuild our network as quickly as possible. Now that our page has been restored, we can return to our normal channels of communication. However, we will be taking significant steps over the coming weeks and months to diversify our communications and protect ourselves and our network from any future incidents.

Why did this happen?

Since the attack, we have learned that sadly this type of hacking is very common. We do not know who this particular hacker was or what their motivations were. However, the most likely motivation is financial gain: they may have been hoping to glean identity and credit card information from the affected board member, and may have seen our page, with 16k followers, as a ripe opportunity for ad revenue.

We have also learned a hard lesson about maintaining security. When we launched our facebook page five years ago, this scenario didn’t exist: admins could not remove each other. But the security solutions also did not exist: there were no permission levels and no tools for managing them. In the time since, Facebook has added new features, such as the ability to add Editors to a page who cannot add or remove administrators. They have also added Business Manager accounts to give page administrators further options.

We cannot know whether using these features would have prevented this attack, but by not keeping up with these changes we were certainly left more vulnerable. We are committed to learning from this incident.

What are we doing?

We are undertaking a full review of our security settings on all our accounts across all platforms. This includes but is not limited to changing passwords, updating user permissions, and removing unnecessary user access. We will also be implementing regular security reviews to ensure that we keep up with the latest changes from Facebook.

Prior to this incident, we had already identified the need to overhaul our website and to develop a platform to better track our communications with our supporters, donors, and volunteers to better serve you and our dogs. This project is now urgently important. The biggest thing we lost during those 10 days were our 16k followers – we know that you continued to support us, but we had no way to reach you.

For this reason, we will be building a list of supporters so that we will always have an independent way to reach you, and so that those who want to can opt-in to receive email updates. Security and privacy of your information will be top-of-mind; this was always an important priority but takes on extra significance after this incident. We are not yet ready to launch our sign-up but we will continue to update you on our progress.

How can I protect myself?

We want to urge all of our supporters to take a few minutes to review your security settings on all important accounts. For most of us that means primary email, facebook, and any online banking accounts. As we have learned, it is critical to regularly review these settings. Consider creating a reminder in your calendar to automatically remind you every six months to review your accounts and passwords. We will also commit to issuing periodic reminders to our followers as we take the same steps to keep our accounts secure.

Consider using two-factor authentication on important accounts. Two-factor authentication adds an additional requirement – such as entering a code texted to your phone or answering a security question – in addition to your password before you can login or make important account changes.

For more information on how to enable 2-factor for facebook, click here.

For more information on how to enable 2-factor for gmail, click here.

A note about passwords

It is very important not to reuse the same password across multiple accounts. We hear this all the time but rarely do we hear why. What can happen is that you have a primary email address and password that you use to sign up for all sorts of things – email, facebook, instagram, twitter, linkedin, online gaming sites, forums, online banking, and more. While it is unlikely for Facebook, your bank, or your email provider to be directly compromised, any of these other sites we use could be – even the well-established platform LinkedIn was compromised last year, with 1000s of email addresses and passwords being posted online.

Once hackers have your email address and your password, they can try logging in to other accounts using that same information, or with slight variations. Suddenly instead of only hacking an account you used one time to play a game online, they may gain access to more and more of your accounts. The worst case is if a hacker gains access to your email account, which can then be used to reset the password of nearly any account connected to that address. This last scenario is what happened to our board member.

At a minimum, you should have strong, unique passwords for any account that can be used to access other accounts. For most of us this means having a unique password for our email, another for our facebook, and another for our online banking.

For all the rest, consider using a password manager. A password manager eliminates the need to remember 100s of passwords, allowing you to remember only one master password, and to use automatically generated passwords that are nearly impossible for hackers to crack. Most password managers also offer security check-up features, to alert you when a password is weak, is being used on multiple accounts, and more.

For information on selecting a password manager, read this article from the Wirecutter.

And for some ideas on creating unique but memorable strong passwords, try playing around with this password generator.

What can I do?

Review and secure your own accounts if you have not done so recently. Back-up any data that you would be sad to lose and that only exists in one location – do you have any photos posted on facebook that you don’t have saved elsewhere? Facebook allows you to download a copy of your account information; consider doing this on a regular basis.

To keep in touch with us, consider following us on more than one platform. This gives us multiple channels to communicate with you in the event that we ever experience an issue with any one platform. We are on facebook, twitter, and instagram, all @sitwithmerescue.

Looking forward

Those 10 days were very hard for all of us, especially for those who worked so diligently to build our facebook page – our platform – to what it was. Over five years, we gained 16,000 followers, created over 5300 posts, and wrote nearly 650,000 words on facebook. More importantly, building that platform allowed us to grow our rescue: we have more than 100 dogs in care and have placed over 700 dogs happily in forever homes since launching in 2012.

To have all this disappear literally overnight was a terrible experience. It was hard – but so is animal rescue. We have an incredible group of supporters and volunteers. We worked together to get to this point, we worked together to get through it, and we will work together to move forward. We have shed our tears and we have jumped with joy and now we will roll up our sleeves and we will rebuild better than before.

Thank you all for your ongoing support, especially at this time. Our dogs and our supporters mean the world to us and we will not let this setback keep us from our important work. Again, thank you to all those who shared our story, those in the media who gave us a platform when ours was missing, those who worked in the background, and those at Facebook who helped us regain what we had lost. We especially want to thank Kelly, Jaime, and Rebecca at Impetus Consulting as well as Melanie Nabert, the Ottawa Citizen, and CBC Ottawa.

From the bottoms of our hearts to the tips of our tails, thank you!

Take Action

If you have any questions or concerns, please contact us at sitwithmerescue@gmail.com.

To see our adoptable dogs, please visit our Adoptable Dogs on our website.

If you are interested in adopting, fostering, or volunteering, please contact us at adopt@sitwithme.ca, foster@sitwithme.ca, or volunteer@sitwithme.ca, respectively.

If you would like to offer your expertise in social media or information management during this key time, please contact us communications@sitwithme.ca.

Meet Javani!

Meet Javani, a sweet pup who has blossomed with the care of his foster mom. This charming dog is ready to find a patient owner who can help him continue to build confidence in…

View more available dogs