Facebook Ads Account Hacked – $112,311 Stolen in Just 30 Minutes (Despite 2FA Protection)

A recent security breach has raised serious concerns among Facebook advertisers after a business account was hacked, resulting in $112,311 in fraudulent ad spend — all within just 30 minutes — despite Two-Factor Authentication (2FA) being enabled.

The attack occurred on March 31st, when hackers gained unauthorized access to a Facebook Business Manager account by exploiting a duplicated profile and an unknown email address. Once inside, they launched a large-scale advertising campaign, rapidly spending over $112,000 through the account’s linked credit line before Facebook's systems flagged the activity as suspicious and restricted the user’s profile.

Despite swift action by Facebook’s automated systems, the financial loss had already occurred. Weeks later, the advertiser's personal profile was reinstated, but issues persist: while the main ad account remains technically active, campaign spending is frozen, and the platform has yet to refund the stolen amount. Additionally, Meta (Facebook’s parent company) has continued to list the fraudulent $112K invoice as "due," creating further risk of account restrictions if the matter is not resolved before the payment deadline.

The Broader Implications

This incident highlights several alarming vulnerabilities:

2FA Alone Is Not Enough: Although 2FA is a critical security measure, hackers can bypass it by stealing session tokens — effectively duplicating a user's authenticated session without needing their password or 2FA code. Malware or phishing attacks are common methods used to obtain these tokens.
Credit Lines Increase Risk: Hackers often target accounts linked to large credit lines because they can spend huge amounts before detection. Experts now recommend using prepaid cards or limiting payment methods to minimize exposure.
Delayed Response Times: Even when fraud is recognized, Meta’s resolution and refund processes are often slow, leaving affected businesses vulnerable for weeks or even months.
Potential Insider Risks: Some reports and investigations suggest that internal actors or vulnerabilities within Meta may contribute to these breaches, although the company has not publicly acknowledged such claims.

Legal Action May Be Necessary

In cases like this, filing police reports and working through standard Meta support channels often proves insufficient. Legal experts recommend that businesses consider direct legal action against Meta itself to expedite refunds and protect their interests, even though Meta may also be seen as a victim of the hack.

Many users across forums and social media have shared similar experiences, emphasizing persistent vulnerabilities in Facebook's platform security. Some have reported taking more than a year to resolve issues, while others had to abandon old accounts and rebuild from scratch.

Best Practices to Protect Facebook Ad Accounts

Regularly log out of Facebook sessions to invalidate tokens.
Use app-based authentication (like Google Authenticator) instead of SMS-based 2FA.
Avoid linking large credit lines directly to ad accounts.
Monitor all login activities and connected devices through Business Manager settings.
Consider setting lower spending limits on accounts and cards.
Train teams on phishing and cybersecurity best practices.

Conclusion

The Facebook ad ecosystem remains a vital platform for businesses, but as this incident shows, even the most secure accounts can fall victim to sophisticated hacking attempts. Companies must stay vigilant, enhance their security strategies, and be prepared to escalate issues quickly to avoid major financial and operational fallout.