Why should you protect your PRIVATE account before moving to an advertising one?
KEYWORDS: Hacked advertising account always starts with the seizure of a private account, as it is the owner or administrator of resources such as Business Manager, fanpage or advertising account.
What happens when a hacker takes over a private account?
Once a private account is seized, the criminal:
- Gains access to fanpages, advertising accounts and Business Manager,
- can add yourself as an administrator and remove you,
- can run advertising campaigns at your expense,
- can block access to all resources.
Securing your private account is the foundation. Before you move on to protecting your advertising or Business Manager account, you need to make sure your private profile is secure!
CASE IN POINT FROM LIFE: An e-commerce company lost more than £27,000 in six hours when hackers took over their Meta Ads account and launched a campaign advertising fake cryptocurrencies. Meta refused to refund the funds, arguing that the company did not follow basic security measures such as 2FA.
Of particular concern, in the event of a hack, access to a fanpage or advertising account can be blocked for months, and the The money spent by hackers is often not returned by the Met. Companies are left not only without access to their marketing tools, but also with serious financial losses that can threaten the stability of the entire business.
The most common threats to Facebook and Instagram accounts
Before we move on to protection methods, it's worth knowing the main strategies that cybercriminals use to gain access to advertising accounts.
Phishing - the most popular method of attacks
The most common attack vector is fake messages impersonating Meta that contain links to fake login pages.
Anna's story: how one link cost her £15,000
Anna ran a small online jewelry store. One day she received an email that looked like a message from Meta, informing her of problems with its ads. After clicking on the link and entering her login information, she didn't notice anything suspicious. The next day, she discovered that £15,000 had been spent from her advertising account on ads for products she never sold. Meta refused to refund the money because it felt that Anna had not properly secured her account.
What could Anna have done? Check the email sender's address (it was not the actual @fb.com or @meta.com address) and log into your account directly from your browser, not through a link in the email.
Malware attacks - malicious software on your computer
Infecting a computer with malware can allow hackers to take over login credentials, access cookies or even remotely control a device. Cybercriminals often spread malware via fake email attachments, suspicious websites or untrusted software. In the case of Meta accounts, it only takes one login from an infected device for a hacker to take control of the entire adware system.
Weak passwords and lack of two-factor authentication (2FA)
Many account takeovers on Facebook and Instagram are simply due to passwords that are too easy to guess. Users often use the same passwords for multiple services - meaning that a leak from one platform can give criminals access to an advertising account.
Fake co-administrators and unauthorized access
Another way to take over an account is for criminals to add their own users as administrators of an advertising account or company manager. In many cases, this is done without the owner's knowledge, especially when access to a personal account has previously been taken over.
IMPORTANT: Cybercriminals are increasingly combining several attack vectors simultaneously. For example, they send a phishing email that leads to a malware download that then registers passwords. That's why it's so important to use the comprehensive security measures described in the next section.
10 effective methods to protect your Meta Ads account
The following methods have been prioritized - from the most basic and crucial to the more advanced. Implementing all of them will significantly reduce the risk of hacking.
1. use strong and unique passwords in your private account
Use a password manager and never use the same password on different services. Using the same password on multiple platforms poses serious risks. All it takes is a data leak from one service, and cybercriminals can gain access to all your accounts.
How to do it:
- Install a password manager (e.g. LastPass, 1Password, Bitwarden)
- Generate passwords of min. 16 characters, containing lowercase and uppercase letters, numbers and special characters
- Set a unique login and password for your Facebook/Meta account
- Change your password at least once a quarter
2. enable 2FA - preferably through an app or physical key
Two-factor authentication is mandatory. Preferably through an application (e.g. Google Authenticator, Microsoft Authenticator, Authy) or a U2F key (e.g. YubiKey).
How to do it:
- Go to Facebook Settings > Security & Login
- Find the option "Use two-factor authentication"
- Choose an authentication application method (NOT SMS - this one is less secure)
- Scan the QR code with the app on your phone
- Enter the code from the app to confirm the configuration
- Save backup codes in a safe place
3. add Passkey and configure biometric login
The feature is available from the Meta Account Center. Fingerprint login eliminates the risk of phishing because authentication is done through the biometrics of the device, rather than a password that can be intercepted.
How to do it:
- Go to Settings > Security > Passkeys
- Click "Create New Passkey"
- Select your device (phone or computer)
- Confirm identity with a fingerprint scanner or Face ID
- Done! Now you can log in without a password
4 Manage applications and remove unused integrations
Regularly review your "Apps and Sites" settings and API access tokens. Remove all apps and integrations that you don't use or don't recognize.
How to do it:
- Go to Facebook Settings > Apps and Websites
- Review the list of all connected applications
- Remove all unused or suspicious applications
- In Business Manager, go to Settings > Users > System Users
- Check and remove inactive API access tokens
5. don't use "Login via Facebook" where it's unnecessary
Each use of this feature increases the attack surface. It is better to set up accounts individually, especially for important services.
How to do it:
- Go through your accounts and find the ones where you use Facebook login
- Gradually change them to direct login, creating unique passwords
- In the future, avoid using this function, even if it seems convenient
6. set spending limits and budget alerts on the advertising account
Set up automatic rules, such as pausing the campaign when there is a sudden increase in spending. This won't prevent hacking, but it will limit potential losses.
How to do it:
- In the Ads Manager, go to Account Settings > Spending Limits
- Set a daily spending limit
- Set up notifications for unusual expenses
- Create automatic rules: Tools > Rules
- Example rule: "Stop campaigns when spending increases by more than 200% compared to the previous day."
7. avoid logging in over public Wi-Fi without a VPN
If you must use an open network - use a VPN. Public Wi-Fi networks are a haven for hackers using tools to intercept data packets.
How to do it:
- Install a trusted VPN application (e.g. NordVPN, ExpressVPN).
- Enable VPN BEFORE connection to the public network
- Avoid logging into sensitive accounts on public networks
- Set up automatic VPN connection for untrusted networks
8 Verify senders of emails and messages
Check sender domains carefully and don't click suspicious links. Meta NEVER asks for your password via email.
How to do it:
- Check the sender's full email address (not just the displayed name)Don't open attachments from unknown sources
- Verify link URLs before clicking (hover over the cursor and check the address)
- Meta communicates through the notification center - check messages there, not through external links
9. apply the principle of minimum powers (PoLP)
Give users and colleagues only the roles they need to perform their duties. Not everyone needs full administrator privileges.
How to do it:
- Go to Business Manager > Users > People
- Review the permissions of each person
- Modify roles, limiting access to only the necessary elements
- Set specific permissions for individual advertising accounts
- Regularly audit the list of users and their permissions
10. add a second administrator with full control
This is an additional "lifeline" in case the main account is taken over. Make sure the second administrator has a different password and a different 2FA authentication device.
How to do it:
- Create a new dedicated email account for the second administrator
- Add this person as an administrator in Business Manager
- Give it full authority
- Make sure the other administrator also follows all of the above security rules
- Keep the second administrator's login information in a safe place
5-minute Meta account security check
Verify that your account is properly secured by answering the following questions:
- Is my password longer than 12 characters and contains numbers and special characters?
- Do I have two-step verification (2FA) enabled?
- Do I check my account login notifications?
- Do I have a daily spending limit set?
- Do I regularly check who has access to my advertising account?
✅ For every "YES" answer - your account is more secure!
❌ For every "NO" answer - you have a gap that needs to be fixed NOW!
Securing Meta Ads accounts - summary
Implementing the above practices significantly reduces the risk of Meta Ads account takeover. Remember that cybersecurity is a process, not a one-time action. Regularly audit access, educate your team and monitor activity.
Need professional help securing your Meta Ads account or recovering a seized account? Our security experts are ready to help. Schedule a free 15-minute consultation.
FAQ - frequently asked questions
Why do I need to secure a private account first and then a Meta Ads account?
Because the private account is the owner/administrator of the Business Manager, fanpages and advertising account. Taking over the profile = access to all resources, launching campaigns and changing administrators.
I've seen suspicious spending in Meta Ads - what are the first steps "right now"?
1) Change the password and log out all sessions. 2) Enable 2FA/Passkey. 3) Pause campaigns and set spending limit. 4) Remove unknown people/partners in Business Manager. 5) Check payment methods and contact your bank/Meta Support.
2FA or Passkey - which better protects the Met's account in 2025?
Preferably 2FA with an app (not SMS) + Passkey (biometrics/key login). Such a duo minimizes the risk of phishing and password capture.
How do I set spending limits and alerts in Ad Manager to limit losses after an intrusion?
Set "Account Spending Limit" and automatic rules (e.g. pause when cost jumps by 200%). Enable budget overrun notifications and daily email alerts.
How to check and remove unsafe integrations, applications and API tokens?
Facebook → Settings → "Apps and Websites" - delete unused ones. Business Manager → Users → "System Users" - delete unnecessary tokens and integrations that are not needed.
How to securely manage access in Business Manager (PoLP) and why a second administrator?
Give only necessary roles (minimum privilege rule), limit the number of admins, do monthly access audits. A second admin with full control is a lifeline if the main account is taken over.
How to recognize Meta-related phishing and not get caught?
Check the sender's domain and URL (don't click shortened links), don't give your password via email/DM, only log in directly via facebook.com or the app. Avoid public Wi-Fi without a VPN, keep your antivirus updated.