Facebook Pages can be an essential tool for businesses and charities, making it possible to connect with almost 2 billion active Facebook users. But there is a downside: It is very easy to for a Page to be hijacked.

Each Facebook Page is managed by one or more administrator. The user creating the page becomes the first administrator, and may grant other users one of six roles: Admin, Editor, Moderator, Advertiser, Analyst, and Live Contributor. Admins can perform all functions. Editors can perform every function except managing page roles and settings. Other roles have fewer privileges.

Many organizations choose to have more than one administrator. If one leaves or is unavailable, another can maintain the page. In-house, contracted, and volunteer designers also may require admin rights to update some page settings. Unfortunately, Facebook allows any Page administrator to remove all other administrators. A rogue admin, or hacked admin account, can result in the organization being locked out of their Facebook Page.

Last week, Sit With Me, an Ottawa-based dog rescue, faced exactly that scenario. “Our Facebook Page is our number one communication tool,” explained board member Ashley Ladouceur. The volunteer-operated all-breed dog rescue has about 16,000 likes on their Facebook Page, where it posts information including dogs available for adoption. These are often shared, providing the group with an even larger reach. According to Ladouceur, Sit With Me often meets urgent fundraising requirements within days of posting a request for assistance on their Page.

On May 11 or 12, 2017, the Facebook and email account of a Sit With Me volunteer with admin on the Page was compromised. On the May 14, all the other administrators were removed, presumably by the intruder. As the victim worked to regain access to her email and Facebook account, her Facebook account was either deleted or otherwise deactivated. The delay suggests that Sit With Me was not the intended target, but that hasn’t helped them regain control of their Facebook Page.

According to Ladouceur, the group has been able to ascertain from Facebook that there are no administrators remaining on the Page. They were still trying to make contact with someone at Facebook to help them when their Page completely disappeared on the evening of May 21.

The group remains hopeful that Facebook will come through for them and restore access to their Facebook Page. “Without it, I don’t know how we would re-start,” Ladouceur said. Sit With Me averages between 85 and 120 dogs in their care, some of whom require expensive medical attention.

Sit With Me is not the first organization to face a hostile takeover of their Facebook Page. As is the case with many free services, very limited assistance is available. Facebook’s help page suggests the obvious:

“If you can’t access your Page, first check to see if another admin of the Page may have removed you. The best thing you can do is contact a Page admin and ask them to add you back. Keep in mind that there are different kinds of Page roles, and only admins can add or remove people.

Pages can only be accessed through a personal account that belongs to an admin. If you think your Page was taken over by someone else, it may mean that your personal account or the account of someone who works on your Page was hacked.”

Unfortunately, Facebook doesn’t directly address the concerns of an organization that has completely lost control of their Page. They should introduce enhanced controls, such as requiring multiple administrators to approve removing an administrator, and provide better security guidance in general. Until that happens, here is what Facebook Page owners can do to help protect themselves against Page hijacking:

Everyone with a role on the page needs to secure their Facebook account. That includes selecting a long, complex password that is used only for Facebook and turning on two-factor authentication (2FA). Facebook’s 2FA options are more limited than other sites, but they do support Fido U2F tokens and sending a 6-digit code via SMS. While not perfect, enabling these options provide significantly better security than a password alone.

The Facebook Page Admin role should only be granted when absolutely necessary. If a web designer requires Admin access to change page settings, it should only be provided for a limited time. The vast majority of tasks can be accomplished using the Editor role.

Facebook password resets leverage the user’s primary email account, making security of the email account critical. Google and Microsoft offer 2FA for free and paid email accounts; everyone should use it.

Facebook did not respond to an email inquiry asking for information and advice for Facebook Page users.