Businesses and individuals using Facebook Pages are getting booted off their fanpage with no way back on, and it's costing some of them money.
Typically, the administrator tries to access the Page, only to discover that someone else has managed to get admin privileges and then deleted their admin status.
Because they are no longer an admin of the Page, they have no standing with Facebook and no way of getting rid of the usurper and are usually told by the social network that the only option they have is to report it as "infringing or violating their rights" so that it will be deleted. But for many users, this is a difficult option to swallow after months, or even years, spent building up their fanbase.
Ali Naqvi, owner and director of 123vouchercodes.co.uk, lost his Page around three months ago at great cost to his business.
"We had 6,000 fans who were genuine followers interested in our updates and clicking away. The clicks brought in about 10 to 15 per cent traffic every month," he told The Reg. "My webpage does about 50,000 unique visits a month – it's not huge, but at the same time, whatever traffic is there, 10 to 15 per cent is a big chunk of that."
After months of trying to get help from Facebook, Naqvi has resorted to starting a new Page, but it's not a solution he's happy with.
"I've actually started a new Page already, but the take-up is slow," he said. "I spent two years building the 6,000 fan base and I've just started now so it's only a couple of hundred on there. It's not the same, it's not going to bring the same amount of traffic."
Many users believed that the original creator of the Page could never be removed as administrator, as stated in its own help pages, but Facebook denies this.
A Facebook spokesperson told The Reg that original administrators could be removed, adding that this had benefits for businesses because they could delete people who had left the company.
Graham Cluley, senior technology consultant at Sophos Security, said this presented serious risks for businesses using Pages.
"I'm sure there are many people who run Facebook Pages who take the help page's word [on original creators] at face value, and believed it to be a safety net should anything ever go wrong. I certainly believed it to be true, which is why I was so surprised when I tested it for myself to find how simple it was to kick out the original admin," he said.
Without that safety net, someone outside the company could convince an administrator to give them access for marketing purposes or some other service and then take control of the Page, or any legitimate additional admins could have their computer hacked, resulting in everyone getting kicked off the Page, Cluley added.
"If you run a Page with a lot of fans that's a big problem – both for the fans (who might receive spam, malicious messages etc) and for your firm's brand," he said.
Other users who have lost their Pages have taken to the forums to vent their frustration at the lack of help from Facebook, and at the oft-quoted phrase from company that Pages "cannot be hacked".
The spokesperson also said that Facebook Pages could not be hacked and said the only way they could be taken over was if the email and password login were found out somehow, for example through phishing – which might be a little too much like splitting hairs for a lot of users.
"As long as the current administrators of a group keep their login details secure, keep their account enabled, and do not allow any suspicious people to become admins, then the group or Page will remain secure," Facebook said.
Naqvi said he had little interest in how his Page was hacked, but he wondered why, if a hacker had his Facebook login details, they hadn't taken over his profile along with his Page.
Facebook's spokesperson also said the site had a "host" of advanced tools to help people stay in control of their accounts, including login notifications, which let you save the devices you use to access your account, and "recent activity", where you can look at your recent activity and remotely close open sessions.
"Unfortunately, Facebook is not able to reinstate people as an admin for any group or page so, as always, we advise people to practice good online security," they said.
But Cluley said he didn't understand why it should be difficult for Facebook to reinstate original admins.
"After all, they presumably have a log of who originally created a page," he said. "Even if they aren't prepared to put in a system to do that – why can't they code Facebook to do what its help pages say it will do? Either block attempts to remove the original admin, or send a request to the original admin asking if they agree to be removed from their administrator role.
"That would surely help prevent hijacks like this one taking place." ®