Account Takeoverhigh

The Café Owner Who Lost Access to Everything

A café owner used the same email and password for everything — when that email was breached, criminals took over her Facebook Business page, Google account, and booking system in one night.

Independent café (UK)·2023·2 min read

Attack Chain

  1. 1
    Email and password found in retail data breach
  2. 2
    Credentials tested across major platforms
  3. 3
    Google account accessed and recovery changed
  4. 4
    Facebook and website access chain-compromised

Background

A café owner in her 50s ran a popular neighbourhood café and had built up a Facebook following of 3,200 people over several years. She used Facebook to post her daily specials, promote events, and take enquiries. She used one email address and one password across Facebook, Google, her website login, and her booking platform.

The Attack

Her email address and password appeared in a data breach from an online retail site where she had shopped. Criminals tested the credentials across common services using automated tools. They gained access to her Google account, changed the recovery details, then used Google to reset her Facebook password. Within 12 hours her Facebook Business page was deleted, her Google account was locked, and her website booking system (linked to the Google account) was inaccessible.

Response

She spent three frantic days on hold with Google and Meta support. Her website developer helped restore the booking system from a backup. Facebook eventually restored the page after she submitted identity documentation, but lost all historical posts and customer messages.

Outcome

She estimated losing approximately £2,000 in bookings during the disruption. The cost in time and stress was significant. Her Facebook page history — three years of posts, photos, and reviews — was permanently gone.

Key Takeaways

  1. Use a different password for every account — when one site is breached, criminals test those credentials everywhere
  2. Set up a recovery phone number and backup email on your Google account right now — it takes five minutes
  3. Two-factor authentication on Google and Facebook would have stopped this attack completely
  4. Your Google account is the master key to everything it's connected to — protect it as you would your bank account
  5. Back up your business Facebook content periodically using the Download Your Information feature

How to Prevent This

All guides
beginner

Set up recovery options on your Google and Apple accounts now

Your Google account (if you use Android or Gmail) and your Apple ID (if you use an iPhone) are the keys to almost everything you do online. If you lose access to them, recovering is a nightmare. If criminals get into them, they can reset every other password you have. The single best thing you can do today is add a recovery phone number and backup email address to both accounts. This takes five minutes and means that if you get locked out — or if someone tries to take over your account — you have a way back in. For Google: Go to myaccount.google.com → Security → Ways we can verify it's you. For Apple: Go to Settings → [Your Name] → Password & Security → Recovery Contact. While you're there, check the "Devices" or "Where you're signed in" section of both accounts and remove any devices you don't recognise. This is how you check whether anyone else is already logged into your account.

See: The Café Owner Who Lost Access to EverythingPasswords & Accounts
password reuseaccount takeoverGoogleFacebook Businesscredential stuffing

More in Account Takeover

2023medium

Data Breach at a Local Gym Chain

2 min readAccount Takeover
2022high

The Fake Amazon Seller Account Takeover

2 min readAccount Takeover