‘Catastrophic damage’: Facebook silent on three hour delay in recovering UNSW page after hack
Facebook has refused to comment on why it took more than three hours to respond after the page of one of Australia’s biggest universities was hacked during its open day on Saturday.
A hacker took control of the University of New South Wales’ (UNSW) Facebook page on Saturday, posting images of semi-clad women and headlines including “the best sex he’s ever had” on one of its most important days of the year.
According to reports it took more than three hours for the university to reach support teams with Facebook in Australia and internationally, despite the university being understood to have an assigned account manager.
A spokeswoman for Facebook refused to comment on the details of the hijack, or the length of time it took to regain control of the page, but said: “We are working closely with UNSW to establish what occurred on the weekend.”
While the university did eventually regain control of the page, which has more than 360,000 likes, it was hacked again last night.
The incident has prompted warnings from social media experts for brands to be more aware of their own social media action plans.
“Brands need to plan before they sign up and engage on a platform,” said Karalee Evans, digital and social strategy with Method. “They need security planning, admin access passwords, they have to keep a central email and not create brand pages with a personal employee’s email as the primary contact.
“I suspect that all of those things are what UNSW have not done – which is why you see such catastrophic damage.”
One of the posts upload on the UNSW page on the weekend.
UNSW and Facebook were today asked what had occurred on the weekend and what processes the social giant has to protect brands, both big and small, when a social hijack does occurs.
During the hijacking the G8 university’s page was bombarded with images such as rapper Nicky Minaj in a bra and thong and photos of porn star Mia Khalifa.
The posts quickly gained traction online with many users mocking the hijack and calling into question UNSW’s online competence.
Among the many posts were comments from users such as this from Timmy Cheng: “I want to ask whether there is any admins here, and why so many X-rated, adult content? (sic)”
Student Joni Lee commented: “All that tuition… clearly wasn’t spent on (online) security.”
While Harrison Weir wrote: “Excellent clickbait articles. 10/10 would enrol in a bachelor’s of Mia Khalifa studies.”
Evans, who was previously head of social at DDB Australia, said that it was likely a number of people had access to the UNSW Facebook page.
“All it takes is for someone to get in with an email,” she said. “Maybe it’s an employee that’s left or a student who did some work with them and all it takes is to go in and remove all the other administrators and then bang they have got the page.
“Whoever is doing it obviously had access, which is not too hard because most of these big pages have multiple administrators.”
Evans noted that after regaining access on Saturday the university and Facebook appears to have failed to lock down that page, allowing whoever was behind the stunt to repeat it on Sunday night.
The university later tweeted an apology for the second hijack: 
“(The second hijack) tells me they didn’t regain control after the first initial hack on Saturday,” said Evans. “Brands need to be aware that it is very easy if you have editor status to remove every other admin.
“For it to happen again tells me there’s no code problem with Facebook, rather it would be a policy problem on UNSW’s side.”
Evans said anyone with a brand Facebook page, Twitter account or other social media presence needs to think about what steps will they take should they lose control of their social media presence.
“They need support from the platform themselves,” said Evans. “For Facebook it depends what tier you are on, in terms of if you have got your own dedicated account manager then your first phone call is to them.
“If you don’t have a dedicated account manager there are two options. One is the brand live chat option, a new function that was launched recently for brands and advertisers in Australia, if that doesn’t work is to try and call Facebook. It’s so rudimentary but it is important.
“For UNSW they would probably have an account manager and I suspect it wouldn’t have been too hard for them but if it was a small bakery that’s a different scenario.”
Evans noted that every brand should know what they do in the event someone takes control of their social media.
“If you are playing on platforms that you don’t own – it’s not your website or you’re not paying the server provider’s bills – the first thing you have to figure out is figure out who the lines of communication are to that platform.”
A spokesman for UNSW told Mumbrella: “There was a second security breach of UNSW’s Facebook page late last night.
“The University regained control of the pages early this morning and the offensive posts were removed. UNSW has put in place additional security measures around its Facebook pages and will be discussing with Facebook the level of support available 24/7.”
Rival social platform Twitter also weighed in on the hijacking, when asked about their social process, a spokesman noted: “Any Twitter advertiser or user can leverage the global presence of our safety teams around the clock if their account has been hacked or for any other assistance through the online forms available at support.twitter.com.
“Major brands and partners also have dedicated named account teams that can assist them in emergency situations whenever they arise, and our team regularly supports our advertisers and partners outside of standard office hours.”
Nic Christensen
This isn’t good enough! Pages spend big money advertising on Facebook and they’re continuously slow to act on matters like this. Facebook reps are pretty much useless too. I know that at Swarm Conference this was a running theme – social media managers fed up with the lack of support.
User ID not verified.
Fool me once, shame on you. Fool me… you can’t get fooled again.
User ID not verified.
“catastrophic damage.” Has your ‘expert’ calculated that? If so, how?
No-one is suggesting that having pictures of porn stars on your facebook page is a good thing, but I’d suggest that there is no way of knowing what damage, if any, has really been caused for quite some time.
A couple of shitty tweets from consumers does not equate to “catastrophic damage.”
User ID not verified.
No one faced wit ha choice of studying at UTS or UNSW said to themselves after the attack “hmm, better go with UTS”
User ID not verified.
Doesn’t seem to have hurt too badly;
https://www.facebook.com/unsw/likes
User ID not verified.
It was hilarious last night, mildly amusing this morning and boring this afternoon. Attention spans on social media are short.
User ID not verified.
It events like this that reinforce the importance of using a Social Relationship Platform such as Hootsuite that adds layers of security on top of the basic Facebook native app. With Hootsuite, one can have many people with different levels of access to the main Facebook account, and if one is compromised, easily disable that account without losing control of the Facebook account itself.
User ID not verified.
Some student with lots of time on their hands!! and hacking ability
User ID not verified.
Would I be correct in stating that anyone who has a Facebook account, uses their real name, real d.o.b., real mobile number and posts recognisable photo’s of themselves is in real danger of having their identity hacked?
Case in point:
I just went onto Facebook and set myself a challenge to try to find the d.o.b, siblings, parents, friends, place of work, (loads of info about a person). I went on a mission and for one person who is a friend (on Facebook), but in real life I would call them an acquaintance, I was able to gather:
Full name with middle name. Wifes full name. Town where he lives. Who he banks with (re on activity I saw that he was b)llocking them about a charge. Mobile number (re shared it as he got a new phone… Where he works. Mum’s maiden name (she has it in brackets and her profile is open…)
When could the BIG Facebook hack occur and what could that mean?
User ID not verified.
It’s called managing your administrators and changing your passwords. Nothing to do with the platform – everything to do with the page administrators.
User ID not verified.
Wow the best
User ID not verified.