Sophos Cloud Optix
Last year, we showed that it was easier than you might expect to hijack a Facebook page and lock out the original admin.
Here’s a video I made at the time, where I showed just how page hijacking could occur.
(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)
Facebook page hijacking is an important issue, because so many companies and celebrities treat their Facebook page as a critical part of their marketing activity, with some brands having millions of fans.
Don’t forget – a Facebook page which has been hijacked could be used to spread malicious links, spam or scams.. all in your brand’s name!
The good news is that Facebook has now improved protection for Facebook page administrators. Rather than hand over the keys to the entire Facebook page (and effectively give them as much power as you, the original administrator) you can assign your fellow admin lower rights – which can prevent them removing you as an admin.
Under the newly introduced system, page admins can be assigned specific roles: The most powerful role remains “Manager”, but there is also “Content Creator”, “Moderator”, “Advertiser” and – at the bottom rank – “Insight Analyst”.
Facebook page managers have the power to send messages, view insights and create posts and adverts. Crucially, they are also the only role which can access admin roles, and remove other administrators.
In the past, staff who simply wanted to access a Facebook page’s admin panel to view statistics on how users were engaging with it, or running advertising campaigns, needed full admin rights – something which could be a disaster waiting to happen.
Facebook’s Help Center describes the different roles for page administrators.
It’s great to see Facebook maturing its system in this way. If you’re in charge of a Facebook page, and sharing access to the page with other people, you would be wise to check the roles used by your co-admins now – and adjust them as required.
Here’s how you check who is an admin on a Facebook page that you administrate:
- Open your Page’s admin panel
- Click Edit Page
- From the left column menu, click Admin Roles
- Type the names of other people you’d like to add in the open field
- Click Manager below the name to choose what kind of admin you want to add
- Click Save Changes
Giving a co-admin too much power may bite you in the bottom later, if their account is compromised or if they become mutinous and try to hijack control of the page from you.
If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 180,000 people regularly discuss the latest attacks.
I really like this idea. I've seen so many pages owners get the shaft from a rogue admin.
Excellent post and thanks for the info GC!
I claim full credit for this new improvement over Page admins etc.
I had a page with 19k followers, Ocean conservation theme. I was locked out in just this way by a jealous co-admin that I had brought on to the team to help. I was able to prove to facebook that I was the page creator and had the page closed down. My name was muck for a long time in the conservation World for that.
Since that day, almost a year ago, I have sent untold number of communications to facebook requesting that implementation, I even sent a message to the big 'Z' so wondering if that landed.
Maybe they were planning this all along but it's nice to dream! I welcome the change. I have since built my business page to almost 22k followers, Ocean sports, and as such welcome the option for designating specific admins with respective access to their role responsibilities.
Cheers.
So what happens now when the sole superadmin dies or leaves?
What about Group pages? They can be hijacked too!
Thanks
This was originally posted 3 or 4 years ago. Has FB resolved it yet? It really incredible they would allow this.
Also, they should create roles where people can do everything in the page, but have no admin rights to persons and roles. Its like they never worked for a real business before.