What to Do If Your Meta Ad Account Gets Hacked

Last week, one of our client's ad accounts was hacked.

We were pretty lucky as it was a Friday night, and if it weren't for my colleague who randomly checked the account, noticed a brand new campaign with a huge daily budget.

We resolved the issue within hours after tracing the hack to an employee’s compromised Facebook account.

We blocked the debit card connected to the ads and removed the personal profile from all assets in Business Manager.

But more about this later on.

If this has never happened to you, count yourself lucky—but don’t assume it never will.

Ad account hacks are more common than ever, and they can cost you real money, get your account banned, and even damage your brand reputation.

This week, we’re tackling how to secure your Business Manager and recover fast if you get hacked. 

Let’s dive in.

🔒 How to Secure Your Business Manager

Your Business Manager is your ad fortress—lock it down!

First of all, here is what you can do to prevent a hack and secure your Business Portfolio assets.

STEP 1:

✅ Enable Two-Factor Authentication (2FA) for Everyone

Go to Business Settings > Security Center and turn on 2FA for ALL users (not just admins).

This will force all Business Portfolio users to enable 2FA.

If they don't comply, just kick them out.

STEP 2:

✅ Add a trusted back-up admin.

This user could be a trusted co-worker who knows their way around Meta Business Manager.

For example, I have a trusted marketing agency partner, and we help out each other with this one.

It's not always about competition, it's about partnerships.

STEP 3:

✅ Add trusted users with Full control for approvals

Meta recommends having 3 users with Full Control for added security.

This allows approval of credit line requests, access changes, and ensures someone always has top-level control if suspicious activity occurs.

Hackers exploit the weakest link—don’t let that be your team members.

This is what happened to our client. One of the employee's personal Facebook account got hacked, even with 2FA.

Fortunately, we had access via their Business Portfolio with a Full Control user, so we could act quickly and stop the attack.

STEP 4:

✅ Verify your business with Meta (if you can)

You can verifiy your business also in Security Center.

You can learn more about how can you become eligible to be verified here.

If your business is verified you'll have an extra layer of protection under Protect important actions.

Here you can set up 3 kind of protections: Default, Extra and Custom.

Each is well explained by Meta. See image below for reference:

STEP 5:

✅ Audit Your Users & Permissions

Go to Business Settings > People and check who has access.

If you see old employees, unknown users, or random public email domains accounts (like gmail)—kick them out immediately.

STEP 6:

✅ Lock Down Your Personal Facebook & Instagram Accounts, and everything else

As mentioned in Step 1, make sure all users enable 2FA but not only on Meta products, but everywhere.

If a hacker gets access to your personal profile, they can get into your Business Manager.

Use a strong password + 2FA to add an extra layer of protection.

So, let’s assume you have all of these precautions, yet you still got compromised.

Here is an easy step-by-step on how to deal with a hacked Ad Account.

⚠️ What to Do If You Got Hacked

If you suspect your ad account has been hacked, act fast.

STEP 1: Freeze Your Payment Method

🚨 This is the most important step, so start with this!

Hackers burn through ad budgets fast. Call your bank or remove your credit card from Meta immediately to stop unauthorized spending.

This is what we did wit our client. We called him and he got the card blocked immediately.

STEP 2: Check for Suspicious Logins & Users

Go to your personal profile Settings > Security Center > Where You’re Logged In.

Unfamiliar logins from other countries? That’s a red flag—act fast!

Also, check if hackers added themselves as admins—they love this trick.

If you see new admins in Business Manager, then kick them out ASAP!

Contact all users, admins especially, and ask them to do the same and visit this below link and check if they personal profiles are secured or not:  facebook.com/hacked.

STEP 3: Remove the Compromised Profile (If Applicable)

If the attack came from personal Facebook account, deactivate or delete it, if you can log in.

Go to Settings > Account Ownership and Control > Deactivation and Deletion. This severs access.

If the comprimised accoutn cannot log in, try to recover the account via the link above.

This is what we did in our case. We managed to remove the user from the Business Manager.

It was a bit tricky as we needed an approval form another full control admin (super admin).

After the affected user reclaimed his Facebook profile, he tried to remove himself (in case of more damage), he still needed an approval from another admin.

Late Friday night, we reached out to the other super admin and successfully removed the compromised user.

4️⃣ Report the Hack to Meta ASAP Go to Meta’s Business Help Center and file a report with:

• Your Business Manager ID (found in Business Settings > Business Info)

• Your Ad Account Number

• Screenshots of unauthorized activity

📌 Pro Tip: Be persistent! Meta’s response time can be slow, so follow up multiple times if needed.

⚡ Snackable Challenge: Secure Your Ad Account in 5 Minutes

Take 5 minutes and do the following:

1. Turn on 2FA for your entire team. 

2. Ask all admins directly to enable 2FA, or they will be kicked out.

3. Add a trusted backup admin.

4. Remove suspicious and inactive users from the Business Manager

Reply 'Done!' once your Business Manager is locked down.

Let’s keep those hackers out!

📩 P.S. If this was helpful, forward it to a fellow advertiser who needs to see it!