Hi everyone,
I want to tell you about two account break-ins that happened recently, because if you run ads anywhere, the same thing can happen to you. One hit a business we work with. The other hit a business we know of. Neither saw it coming.

Giphy
Someone spent $14,684 of an ad budget before anyone noticed
A business we work with had their ad account hijacked. Not by guessing a password. The attacker copied a trusted browser session and walked straight in, past the password and past two-factor. Once inside, they swapped in fake ads, pushed the daily budget from about $93 to roughly half a million dollars, and spent $14,684 before anyone caught it.
Here is the part that should stop you cold: two-factor was on the whole time. It did not matter, because the attacker never needed to log in. They rode in on a session the browser already trusted.
And it is not just a Facebook problem. We know of another business hit the same way on the Google side. That one ended better, caught fast and reversed before real money was lost, because the account had a backup layer of access the attacker did not control.
The difference between a scare and a five-figure loss often comes down to who can lock the intruder out, and how fast.
The two gaps almost nobody checks
Two doors get left open more than any others, and both are about access.
The first is ownership. If your agency set up your accounts under their umbrella, they hold owner-level control, and you cannot see how they protect it. You should be the primary owner of everything your business runs on, with agencies and partners added as users you can remove, never the reverse.
The second is cleanup. Access does not expire on its own. We have asked former clients more than once to remove our access after we parted ways, and some platforms will not let us remove ourselves. Every stale connection is an open door in both directions. Keep your user list tight, and prune it the day someone no longer needs to be on it.

The good news: closing the doors takes about ten minutes
Security is not one setting you flip once. It is a set of doors, and most accounts have three or four left open that nobody has checked in years, including logins still active from as far back as 2017. Here is where to start:

Turn on a passkey, not just an app or text code for two-factor.
Log out of every old session you do not recognize.
Review the apps connected to your Facebook and Google logins, and remove the ones you do not use.
Check who has access to your ad accounts, and cut anyone who should not be there, including agencies or freelancers from relationships that have ended.
Set an alert for sudden budget changes, so you catch this in minutes, not days.
The full 11-point checklist is on the blog, the five above plus account ownership, stale access, and the other doors most people miss. Run it on your own accounts today. It is the fastest and most valuable ten minutes of protection you'll spend this year.
Talk soon,
Iulia Vasciuc
CEO, ScaledOn
P.S. Switching gears completely: on Wednesday, July 23 at 12pm ET, our Amazon Director, Dominic, breaks down the real Prime Day 2026 results and what they mean for any business, whether or not you sell on Amazon. Real numbers, straight talk, and our team live in the chat to take your questions. Save my spot →
🚀 More from ScaledOn:
💬 Your buyers search differently now. See where your marketing is losing them. Book a 30-min call.
🔎 Invisible in ChatGPT, Perplexity, and Google AI? Most brands are. Get an AI Visibility Readiness Audit.
🎙️ Marketing changes fast, and it's hard to keep up. Our ScaledOn Sessions break down what actually impacts your business, with the team live in the chat to take your questions. Subscribe on YouTube.
🤝 Know a founder who needs us? Refer them and earn up to $500.



