Cataloging classes everywhere have a new final exam for students—cataloging spam posts on a hacked Facebook page.
For almost 31 hours over Labor Day weekend, American Library Association’s Facebook page was controlled by a hacker who posted decidedly un-library-like content and removed all ALA admins. While ALA’s Social Media Team scrambled to find a way to regain access to the page, new spam posts were going up every 20 minutes like clockwork.
It was a challenging and stressful situation for staff, who realized the problem immediately after it happened but were unable to do anything. The GetHuman phone number listed for Facebook worked, but nothing happened when we’d press a menu number. None of the solutions we Googled or found in the Facebook help section worked. Links to Facebook pages took us in circles. We tweeted @Facebook, but there was no answer. Hundreds of staff and ALA supporters used the option on each post to report that the page had been hacked, but that only resulted in messages from Facebook that they didn’t consider the post spam. Seriously?
A few hours into the hack, librarian Erica Jesonis (@ejesonis) saw our tweet and post in the ALA Think Tank Facebook group, and offered to relay information to a friend who worked at Facebook to see if he could help. He was able to get a support ticket submitted, but given the holiday weekend in the US, we didn’t know when someone would act on it. And still the posts continued.
In the meantime, though, our Facebook page had become a magical place where the whole situation started making us laugh because librarians had decided to start having some fun with the hackers.
Led by Todd Fishburn-Grooten and Steve Kemple, hundreds of librarians and supporters began posting in the comments, everything from discussion questions to pictures of related books and links to helpful WorldCat titles. Instead of cringing as each new spam post was published, we decided to go along for the ride and enjoy the awesome display of librarian humor. With each new post, you didn’t let us down (nor did you run around and desert us). We couldn’t sleep anyway, but now we wanted to stay up. We were torn between hoping there wouldn’t be another post, and wondering what the commenters would say next.
Around 10:00 p.m. on Sunday night, Megan Estey Butterfield used the Think Tank group to get in touch with us because she, too, had a friend at Facebook. Between Erica’s friend and Megan’s friend and the 4,765 people who reported our page as spam/hacked, we’re not sure what finally worked to get our access restored, but we’re grateful to everyone who tried to help.
We still need to sit down and debrief everything but in the spirit of the help we received, here’s what we’ve learned so far that can help others.
- We believe the hack started when a staff member clicked on a phishing email, but we’ve also heard there might have been some additional issues that contributed to the hack. We haven’t heard from Facebook directly at this point, so we only have secondhand information, but the single most important thing we all need to do is have every staff member with access to an ALA social media account implement Two Factor Authentication (TFA).
ALA is very decentralized, which is sometimes a problem when it comes to enforcing standards, but this is too important and we just have to do it. In Facebook, TFA is called “Login Approvals,” so go there right now and turn it on if you haven’t already.
It adds an extra step to logging in on new devices or browsers, but if you do this now you won’t have to go through what we did because someone else logged in as you. It’s not a 100% guarantee nothing will ever happen, but it’s the single best thing you can do.
Then go turn on TFA at Google, Twitter, and for any other services you use for your library. You should do this for your personal accounts, too, but at least implement this on your library ones. We can’t stress this enough. Don’t let an excuse like organizational hierarchy or size prevent you from doing this. Learn from our mistake!
- Participate in the online libraryland world, because someday they might come to your rescue in a crisis. Whether it’s the ALA Think Tank on Facebook, the Library Society of the World, an ALA mailing list, or another corner of our profession, have a place you can go to ask for help. The pool of people who know people will always be changing, so even if we all create a list of names, it isn’t enough on its own.
And when you join in a group, don’t just show up there when you need help—be there for others because we’re all in this together. If nothing else, they’ll provide support and make you smile when you didn’t think you could, and that means a lot in a crisis.
- If you have more than one person on your social media accounts, make sure you have a designated channel you can use to communicate, even on a holiday weekend. Relying on email might not be the best route, so what’s the one way you’re 100% sure you can get hold of someone? In our case it was SMS, but we realized too late that we didn’t have everyone’s cell phone number. We thought we had a handle on this kind of thing, but it turns out we didn’t. In the future, we will, and we’ll keep the list updated.
- Immediately start using your alternate channels to communicate. We couldn’t post to our Facebook page, but we posted in other places on Facebook and on Twitter to get the word out and ask for help.
- One of the things you can do while you’re helplessly staring at your hacked page is to start planning the first post you’ll make when you do get it back. Figure out the tone you’ll take based on how things are going and what you’ll say, because you can’t ignore that this happened. We didn’t actually prepare something ahead of time, but we should have.
- Facebook did email the admins that they’d been kicked off the page, but some of the messages went to staff junk folders. Be sure to whitelist firstname.lastname@example.org so that you can get that message if they send it to you.
- Looking back, we probably should have set up shifts to monitor the page throughout the night. It was difficult not to just spend 24-hours straight glued to the screen, but the few of us available to help out tried to take breaks and cover for each other. However, by the 31-hour mark (1 a.m.), we were exhausted and asleep. We didn’t even know we’d gotten control back. In fact, when we logged on for the first time around 6 a.m., there were still 14 spam posts waiting to go live that we immediately deleted.
We were lucky that our community understood what was happening (for the most part) and was having fun with each new post, but if this was happening to your library, you’d want to delete every possible post in the queue before it publishes, which means having someone watching the page at all hours.
- We were so lucky that the library community helped us out, and we think there needs to be a discussion about how the library world comes together to do this when any library gets hacked. Because it will happen, and we should be ready. The organic nature of the response to our hack was amazing, but would it work on a library’s page?
P.S. We can tell you right now that if your library page/account gets hacked, let us know and we’ll do our best to boost your call for help and then do whatever we can to help.
- Try to keep a sense of humor! It was so hard not to feel heartsick every time a new spam post went out, but being able to laugh at the comments from our community really helped keep us sane. Engaging with the community building up in the comments gave us a more positive outlet for the frustration, and it drew everyone together.
- It was a holiday weekend but everything we’ve read online about other people’s experiences says that even during the working day, it can take 24–48 hours to get your page back after it’s been hacked. Yes the trigger for the hack was our fault, but it seems that if 4,765 people report a page as spam/hacked within a 31-hour time frame, the issue should be escalated to a human for resolution.
We know people try to game the system all the time, and we know Facebook is ginormous and they’re literally dealing with a billion users and millions of support issues every day. But there has to be a way for Facebook to let the admin(s) of a verified page report a hack. There has to be a way to write some code that if this happens, some software checks to see if a new admin was just added and others removed, if new posts are suspicious, if anyone else is reporting the page as hacked, etc. At least put an automatic freeze on posting to the page until a human can look at it. And if you’re an international company, maybe employees not celebrating a national holiday can monitor alerts for hacks in other countries.
We don’t pretend to know the full context of what life is like at Facebook, but there has to be a way to do this. A big thank you to the person at Facebook who finally restored our access. Let’s figure out a way to make that happen faster for everyone.
Then let’s continue the discussion about securing Google, Instagram, Pinterest, Tumblr, Twitter, etc.
Update: Check out this dramatic reenactment of #ALAHackgate2015 using Legos!