How do I check who has admin access to my Facebook Page?

Open Meta Business Suite (business.facebook.com). Navigate to Settings → People and Assets → People for Business Manager-managed pages, or Settings → Page Roles for legacy pages. The list shows every account with admin, editor, moderator, advertiser, or analyst access. Review every name. Remove anyone who is no longer an active employee. Enable two-factor authentication for the remaining admins through Settings → Security and Login.

What is the worst case if my FB Page gets hijacked?

The attacker can transfer the Page to a different Business Manager, post fraudulent content, change the Page name, or hold the Page hostage. We have responded to incidents where Filipino SMBs were extorted for between PHP 80,000 and PHP 600,000 to recover Pages that had been transferred out. Meta Page recovery is possible but slow. Three to six weeks is typical, during which the business loses its primary customer communication channel.

Can a former employee still access my FB Page after I fired them?

Yes, if you did not remove them. Page admin access lives on the personal Facebook account of the admin, not on a corporate identity. Removing an employee from the company does not remove them from your Page. We see this in 9 of 10 Filipino SMB engagements. The median is 3 to 4 ex-employees still listed as admins or editors. The single worst case we encountered was 11 ex-employees on a single page.

Should I move my Page from a personal Facebook account to a Business Manager?

Yes. Business Manager separates your Page from any individual personal account. If your only admin is your personal Facebook account, the Page dies the moment that account gets compromised, suspended, or simply forgotten when you stop using Facebook personally. Moving to Business Manager takes 15 minutes and is one of the highest-impact security improvements an SMB can make.

Is two-factor authentication really enough to protect a Page admin?

It is the most important single control. Most Page hijacks happen because the admin's personal Facebook password was reused on a service that got breached, and the attacker simply logged in. Two-factor authentication breaks that path entirely. Combine it with the Facebook Login Alerts feature and you will know within seconds if anyone tries to log into your account from an unusual device.

Who has admin access to your Facebook Page right now? Are you sure?

This is the simplest article we have written. The fix takes 15 minutes. The risk it closes is one of the most common attack paths against Filipino SMBs. The reason almost no one does it is also simple. Nobody owns it.

Marketing assumes IT manages the Page. IT assumes marketing manages the Page. The owner manages neither. The Page accumulates admins like a coffee shop accumulates regulars, and one day a former employee's personal Facebook account gets compromised, and the Page goes with it.

Below is the audit. Run it today. Then read the three short war stories that follow to understand why this matters.

The 15-minute Page audit

Run this today

The 5-step Meta Business Suite audit

Log in to Business Manager

Go to business.facebook.com and log in with the account you use to manage the business. If your Page is on legacy Page Roles rather than Business Manager, open the Page directly and click Settings → Page Roles.

Pull the access list

From Business Manager, navigate to Settings → People and Assets → People. That is every individual with access to your Business Manager. From the same Settings menu, open Pages, and for each Page, click the name to see the Page-specific roles.

Read every name out loud

For each name, answer two questions. Does this person still work in the business? Do they need this level of access for their actual job today? If either answer is no, remove them.

Force MFA on the admins who stay

For every remaining admin, make sure their personal Facebook account has two-factor authentication enabled. We see Pages get hijacked when an admin reused a password on a service that got breached. MFA breaks that attack path. Settings → Security and Login → Two-factor authentication. Use an authenticator app, not SMS.

Document and schedule the next review

Write down who has access, at what level, and when you last reviewed it. Put a recurring 15-minute calendar event on the books every quarter. Most SMB Pages drift back into admin sprawl because the review never recurs. Make it recurring and the problem stays fixed.

That is the audit. Total time: between 8 and 25 minutes depending on how many admins you start with.

Three war stories from real engagements

Story 1: The 23-admin logistics company

A 65-person logistics firm in Quezon City retained us for a red team in mid-2024. During reconnaissance we pulled the publicly visible Page admins (Meta exposes some role information through the Page transparency report). Cross-referencing those names against LinkedIn, we identified 23 people listed as admins, 11 of whom had moved to other employers, several years before in some cases.

One of those former employees had been hired by a competitor. We do not know whether anyone exploited this access. We do know that the structural risk had been open for 14 months and the only reason it surfaced was our engagement.

The owner removed the 11 ex-employees during the call. Total time: 11 minutes. The fact that the cleanup took less time than the conversation about why it had not been done already was the part that bothered him most.

Story 2: The hijacked bakery Page

A small bakery owner in Makati contacted us in early 2025 after her Page was hijacked. The attacker had transferred the Page out of her Business Manager, changed the name to a generic crypto-trading scam, and was running ads against her audience of 38,000 followers.

The forensic timeline was straightforward. The owner had used the same password for her personal Facebook as she had used for an online clothing retailer that was breached in 2022. Her credentials had been on a public credential dump for over two years. Eventually a credential-stuffing tool tried that email-and-password combination against Facebook, succeeded, and the attacker noticed she was an admin of a profitable Page.

Recovery took 4 weeks of back-and-forth with Meta support. She lost an estimated PHP 280,000 in lost revenue from the unavailable Page over that period. The bakery survived. The lesson, in her words, was that her personal Facebook password was a business asset and she had been treating it like a personal one.

Story 3: The disgruntled freelancer

A 22-person agency in Cebu had given a freelancer admin access to their Page during a campaign in late 2023. The freelance contract ended. Nobody removed her access. Eight months later, after a payment dispute the agency thought had been resolved, she logged in and posted a long public message on the Page criticising the agency's treatment of contractors.

The post was visible to the agency's 12,000 followers for nearly 6 hours before someone in management noticed and could remove it. By that point screenshots were circulating in industry Facebook groups. The reputational damage took 4 months to recover.

The fix that would have prevented this incident was a single click in the People section, executed at the moment the contract ended. The reason it never happened is that nobody's job description included it.

Why this is a red team finding

You might wonder why a CREST-certified offensive security team writes about Facebook Page admin hygiene. It seems like an IT admin task, not a security engagement.

The reason is that the Page sits at the intersection of three things attackers want. It carries brand authority (you can post anything and customers believe it is you). It controls customer communication (Messenger is your primary support and sales channel). And it owns ad accounts (which means it controls budget that can be redirected). For a Filipino SMB whose primary business runs through Facebook, the Page is the single most concentrated piece of digital trust the business owns.

When we map an SMB's attack surface during a red team, the Facebook Page is treated with the same seriousness as the email tenant or the accounting system. Often more, because the consequences of compromise are more visible to customers and recover slower. We test admin sprawl, password reuse against credential dumps, two-factor authentication coverage, recovery email security, and the ability to social-engineer access through Meta support.

The result, every time, is a finding. Sometimes a small one. Often a large one. The 15-minute audit closes most of it.

Run the audit. Then close this tab.

If you have read this far, the realistic question is whether you will actually open Meta Business Suite right now and run through the five steps above. The answer for most readers is no. They bookmark this page, or they screenshot the steps, or they tell themselves they will get to it Monday.

The 15-minute version of this problem solves itself today. The 11-month version is what brought the logistics firm to us. The 4-week recovery version is what happened to the bakery. Pick which version you want.