There’s no denying it: we got hacked. Here’s what we learned and what you can learn, too.
On Wednesday, August 12, at approximately 3:30am, a barrage of malicious postings found their way to three of the University of Michigan’s most popular Facebook pages: Michigan Football, Michigan Basketball, and Michigan Athletics. Our Department of Information Technology Services (ITS) was first alerted to the inappropriate content by our user community. Community members across many of our other social properties also reached out with comments and direct messages. By 5am ITS in turn had notified the University Director of Social Media, the Office of Public Affairs and Internal Communications, and the Department of Public Safety and Security. Likewise, members of Michigan Athletics’ external communications staff awoke to a multitude of notifications, voicemails, and text messages. By 6am the story of our hacking and a full array of screenshots were being discussed across the airwaves and on online news outlets.
After quickly establishing that this was not the work of a disgruntled employee, and confirming that we had lost all administrative access to the accounts, we began furiously flagging content, pages, and any Facebook organizational contacts we could find. As the owners of the sixth-largest higher-ed Facebook audience in the nation and the largest pages in collegiate athletics for football and basketball, one might think we have Facebook on speed-dial; however, that was not the case. Further complicating the situation was the fact that many of the contacts we did have were in a variety of time zones, and many were still sleeping. In the end, it was actually Facebook’s London (UK) team that came to our rescue, thanks to a connection made through a former agency peer who then reached out to a Facebook client partner at one of Michigan’s robust auto industry social teams.
Simultaneously, the University of Michigan social leadership team was alerted by UMSocial to implement password changes on all official accounts and immediately assess any and all third-party applications that had been granted access to publish on the pages behalf. This team comprises one representative from each primary unit across the U-M’s three campuses. Each individual is tasked with regular communication with UMSocial, as well as with communicating best practices, strategy, and other pertinent information to all administrators of subsidiary social media accounts within their areas. Michigan Athletics’ associate athletic director for external communications and public relations also initiated a group distribution text message with key stakeholders and leadership throughout the university to keep them apprised of the developing situation.
At 7:42am, in collaboration with Public Affairs and Michigan Athletics, UMSocial issued the first acknowledgment of the hacking situation on the overarching University of Michigan social properties. Ensuring that our vast social communities were aware we were working diligently to rectify the situation in a timely manner was of utmost importance to us, and clear, transparent communications proved to be a valuable tool as the events of the day unfolded. The multi-phased communications approach included internal and external audiences and media relations while utilizing broad-based education about the day’s events and how it impacted various groups.
At 8:38am Facebook took control of and unpublished the three compromised pages. Within 15 minutes, university page administrators had been re-credentialed and the process of cleaning the accounts began. By 10am the pages had gone live once again and we notified our audiences and key stakeholders that the situation had been contained…or so we thought.
Just after the noon hour, a second wave of attacks was triggered on the previously affected pages as a result of our efforts to alter delegated privileges on the remaining page administrators. It was at this point that we were able to determine the actions were linked to a specific employee’s personal account, and we relayed information to ITS and Facebook which allowed us to determine the original source of the security breach. Following an extensive investigation, Facebook determined that the hack was part of a sophisticated phishing scheme found within Facebook Messenger that has affected many other brands.
Once the hackers gained access to the personal account, they were then able to access any page to which the individual had administrative privileges. Internally, ITS focused their efforts on assessing potential risk to our data and systems. Their thorough evaluation revealed that the hack was contained to the social platforms, and did not affect confidential data or servers.
According to Facebook, the following two scripted messages reflect what the individual may have received:
Dear Nikki Sunstrum,
Data that you have filled do not match your fanpage, precisely the Security Question, and Answer do not match in your records.
Please fill the application again.
[Malicious link was here]
Facebook Support Center
Dear Nikki Sunstrum,
Data that you have filled do not match your fanpage please fill the application again
[Malicious link was here]
Facebook Support Center
Upon clicking the links, users are directed to a form that looks like a page to validate Facebook credentials, but in fact is not an authorized Facebook site. Facebook provided the following tips for further future protection, which we have implemented as a standard of best practice and instructed all University of Michigan social properties to adopt as part of our use guidelines.
- Facebook will never send official communication via Messenger.
- Never enter your password anywhere but facebook.com. Scammers often set up fake pages to look like a FB login page so it’s important to always check that you’re really logging into www.facebook.com.
- Watch out for fake pages/apps as well as “official” links using URL shorteners such as the gl links from the phishing messages.
- Try to keep the number of admins to a minimum
- Ensure that Admin and Editor roles have login approvals turned on. This will add an additional layer of security when someone attempts to login from an unrecognized device.
Before the close of business August 12, we had debrief and exploratory third-party application meetings on the books. Normal operations on social accounts were intentionally eased back into and prolonged until individual responses were issued to every single message Michigan Athletics had received. The next day we gathered to discuss what went well, and provided summary information on the status of all accounts to leadership. We also monitored and measured the reach and impact of the conversation repeatedly as it unfolded. Overall, our brand pages saw a nominal increase in followers, while our individual sport pages experienced a very minimal decrease. When compared to other topics surrounding the University of Michigan brand over the last seven days, the hack ranked fifth out of 10.
For us, the moral of the story was clear. Password security isn’t enough – even the most well-trained social media professionals are still subject to human error. The best we can do is take every necessary precaution to incorporate additional levels of security. Collectively, we have initiated the implementation of two-step authentication procedures, and are continuing to evaluate third-party security applications. Lastly, at Facebook’s recommendation, we are also researching Facebook Business Manager.
It is our hope that, by highlighting the steps taken and lessons learned, we might prevent future attacks and educate our peer institutions on how to safeguard themselves as well.
If you have experienced a similar event and are interested in sharing your case study, please feel free to contact us at firstname.lastname@example.org. Additionally if you have questions please reach out to me on Twitter @NikkiSunstrum.
#StaySocial, #StayConnected, #StaySafe
Written by @NikkiSunstrum, University of Michigan Director of Social Media