How do I spot a rogue System User?

In Business settings → System Users, look for any name you did not create, especially recently added ones. System Users do not log in like people, so an unfamiliar one with broad asset access is a strong signal of compromise.

Should I report this to Meta as well?

Yes — once contained, report the compromise through Meta's support channels and, if relevant, dispute the ad charges via Account Quality. Refunds are not guaranteed, so the bank dispute is your reliable backstop.

Recovery

How do I stop fraudulent ad spend after a portfolio hack?

The first moves after a portfolio hack: pause ads, lock payment methods, call your bank, then sweep People, Partners, and System Users for the attacker's back doors.

This is the containment checklist you run in the first hour of a Business Portfolio hack. The goal is simple: stop money leaving, then remove every way the attacker can get back in. The order matters — paying attention to payments before access keeps the financial damage from growing while you investigate.

If your situation is actually …

You want the full staged recovery, not just containment → Recover a hacked Business Portfolio →

Contain and audit

Stage 1 · Stabilize

Stop the money

Pause all active and scheduled campaigns immediately.
Where: Meta Ads Manager
Remove or lock every payment method on the affected ad accounts.
Where: Meta Business Suite → Billing & payments
Call your bank or card provider to flag the fraudulent charges and block further ones.
This protects you even if a token keeps trying to spend.

Stage 2 · Diagnose

Find the back doors

Review People for users you did not add.
Where: Meta Business Suite → Business settings → People
Review Partners for any partner business you do not recognise.
Where: Meta Business Suite → Business settings → Partners
Review System Users — the long-lived, non-human accounts attackers use to persist.
Where: Meta Business Suite → Business settings → System Users

Stage 3 · Reclaim

Remove and revoke

Remove unrecognised people and partners.
Where: Meta Business Suite → Business settings
Delete rogue System Users, and revoke or regenerate tokens for any you keep.
Until the token is gone, the attacker still has API access.
Where: Meta Business Suite → Business settings → System Users

Stage 4 · Harden

Lock it down

Turn on two-factor for everyone with access and require it in the Security Center.
Where: Meta Business Suite → Business settings → Security Center
Re-add a fresh payment method only after the portfolio is confirmed clean.

If this flow does not restore access: How to contact Meta support for access problems →

Frequently asked questions

Stop the ads and lock payments first. Removing the attacker matters, but money is leaving in real time, so containment of spend is the priority in the first few minutes.

Delvia

Access issues are easier to prevent when roles, owners, and responsibilities are recorded clearly

Most access problems trace back to the same gap — no clear record of who has access, what role they hold, and what should happen when that changes. Delvia helps you keep that record so problems are visible before they become incidents.

Delvia is free on iPhone and Android. Keep a clear record of who has access to your accounts — and what to do when that changes — wherever you are.

Download on theApp Store GET IT ONGoogle Play