The Harrowing Tale of The Underwater Realm's Hacked Facebook

The Harrowing Tale of The Underwater Realm's Hacked Facebook

As a creative professional, your marketing tools can be one of the most important aspects of your business. Facebook has always been a great place for your social marketing strategies, but what happens when that is stolen from you? It happened just recently with the creators of The Underwater Realm. This is their story.

The Underwater realm has been featured on Fstoppers several times, they have behind the scenes videos of both their project and an amazing underwater photoshoot with Benjamin Von Wong. They gained a huge following on Kickstarter to help fund the indie film and the results were amazing. They also have a fairly modest Facebook following. The Facebook fans number over 3,700 people and each like was due to hard work and dedication to the page as they documented two years of their journey while making the film.

That's all gone now.


© Lorenz Hideyoshi Ruwwe


An unknown hacker has recently gotten into their Facebook page and has deleted their entire timeline. Two long years of work gone in an instant, and if that didn't sting enough the hacker kept the likes, but now they're quickly dropping like flies.

David Reynolds, the director of The Underwater Realm explained how this could have happened so easily.




"I'm on a shoot in Saudi Arabia and I get back to London Heathrow Friday [around] lunchtime (24th). I go to check Facebook on my iPhone and no dice, the account is unavailable. Same on my iPad. I fire up the MBP to check what is going on. This is all over 3G so no dodgy wifi terminals. Logging in with Google Chrome reveals a message along the lines of 'your password may not be safe, especially if it is the same as your PayPal password - please change it'. I check that the page is the legitimate Facebook, and decide that this is consistent with my iOS errors, so change the password as prompted.

Concerned at the security blip I ask a friend to check my page for the usual, spam messages, dodgy posts etc... Nothing turns up, I count myself lucky. Bear in mind this is all my personal FB page nothing UWR related yet, although I am of course an admin to the page, but not the page creator.

Nothing happens until Sunday evening (26th) when suddenly I get a flurry of emails, tweets and texts from friends and fans saying, 'What the hell has happened to the UWR page?!'

A quick pow-wow with the other Realmers reveals that we have all been shut out of the page, no more admin access. 100% of the content has been erased or changed, basically everything except the title and the 3,700+ likes.The page is now full of generic images of eyes and contact lenses with no URL, and loads of angry messages from our followers. The likes are dropping like flies.




The loss is indescribable. The page has been up since the start of the project. It covers the entire $100k Kickstarter campaign. All of the updates, comments, highs and lows. It covers all of production, post, and release. It was a 'permanent' record of the project, the people that made it and the interaction with the community. It's times like this you realise how 'thin' twitter is by comparison.




Later that night my PayPal was billed for $40 'Facebook Ads', which I promptly reported for a swift Paypal refund.

The problem has been reported to Facebook in each of the few ways available to us. The general advice from Facebook help seems to be, 'if you have lost administrator rights to a page, someone must have removed you. Try talking to them, and being more careful about who is given admin rights on the page'. As far as I can tell this is similar to telling a bullied kid to choose his friends more carefully.

The offender must have used my account to give himself admin rights to UWR, then used those rights to remove the other eight admins before erasing two years worth of work. Somehow this is possible without raising any alarms with Facebook or notifying any of the page admins. It's terrifying!

I have reported the page theft and PayPal theft to Facebook, and have yet to receive a reply. PayPal replied and refunded the money within 24 hours.

Although, we remain hopeful that somehow Facebook will right this wrong and restore the admins and most importantly the irreplaceable content, Googling has turned up some frightening examples of much larger (in likes) pages than ours that have never been returned to their creators.

It's scary to think how fragile all this is. We don't even have a way of reaching out to the fan base to rebuild the community from scratch. These aren't just passive 'likes' either. This represents a thriving fan base responsible for a massive Kickstarter campaign and huge support to the team behind the films.

My advice: All I can say is this, at the first sniff of anything unusual on your personal page (or any of your admin's pages) immediately check and secure any pages you have access to.

The sad thing, the salt in the wound, is that there is no business or URL being promoted on the hacked page. It's just a wasteland of stock photos; and yet the user still has time to delete angry comments from our fans. Wanker."

-David Reynolds

So, what would you do if your page was hacked? Obviously Facebook needs some better way of handling these types of situations and as David said this isn't the first time that a page has been hacked and used without the original creator's intent, including Mark Zuckerberg's own Facebook fan page.

If the CEO of Facebook's own page isn't safe from being hacked who's to say that your own photography page isn't? So, what do you do to protect yourself? First, make sure that your Facebook is under secured browsing. Your url should start with 'https://' instead of the regular 'http://'. Make sure you have sorted out your privacy settings. Obviously choose who you share admin rights very carefully. While none of the admins on the UWR page were responsible this can be a common problem when it comes to Facebook pages. Make sure that your password is long and hard to figure out. The longer your password the more secure from bots ect...

Have any of you ever experienced this with your own social media marketing?

One of the fans from the Underwater Realm has made a new Facebook page to help the creators get their original page back. Please show your support, Give The Underwater Realm Their Page Back

Rebecca Britt's picture

Rebecca Britt is a South Texas based commercial, architectural and concert photographer. When she's not working Rebecca enjoys spending time with her two daughters, playing Diablo III, and shooting concerts (Electronic Dance Music). Rebecca also runs the largest collective of EDM (electronic dance music) photographers on social media.

Log in or register to post comments

Facebook, along with a bunch of other sites, turn on HTTPS by default. HTTPS only does 2 things: it guarantees that the website you're visiting is who they claim to be, and it protects your connection from being eavesdropped. These hacks come from within Facebook's server/code security, so if your page/account gets hacked, you're toast.

Of course, with vulnerabilities like border gateway protocol security and DNS poisoning, no one is safe.

Sorry, the geek in me couldn't resist.

Stop trolling my post, nerd!

Kidding. You know I love ya!

There's a big difference between being "hacked" and "phished." One is out of your control, and the other is due to a lack of judgement. This guy's personal account was phished, and as a result, they disrupted a page he was an admin on. Only one to blame is him, not Facebook or anyone else. Props to PayPal for acting so swiftly, but that's probably due to it being linked directly to a financial institution.

Sorry to hear about that, but this is the risk with using online tools like facebook, where you have absolutely no database control.

All off this could have been avoided if things would have been planed and done correctly.

First, every information you give, you must store on your computer. Make a word, make a folder where you store your pictures you'll post.
Second, own your website. It's so easy anyone can do it. From there, you install anytool you think it's best for you project, but I'll go with a wordpress example.
Third, you post on YOUR WEBSITE FIRST.
Fourth, you use plugins to allow social tools (facebook, twitter, g+) to connect to your website, grab the posts, and dispatch them.

If you do that, you will always be in control of the data you publish. It's a star-shaped system.
If you have a host that makes daily databases backups, even better.

Social media are wonderful tools, open ID makes it all easy, but if you're not aware of the risk or think the internet is all sunshine and rainbows, you're deng wrong.

It would be nice if they "versioned" your changes so that in a case like this you could revert to an earlier state.

My issue isn't that the page got hacked. Things happen, you should always be backed up, etc...

My issue is that Facebook is not supporting one of it's end users in getting the page and the content back. I would think that there would be steps Facebook could take to verify the new admin and find out why the 2 years of content were removed. If you do a google search, it is pretty obvious what sort of content is associated with "The Underwater Realm". I would think it is a red flag for Facebook that someone would remove all that content and put up eyewear content, AND that the original admins are fighting to get the page and content back.

Maybe it's the new wild west. You can do what you want with minimal, if any, consequences.

exactly. Facebook needs to have a clear way to contact someone in a case like this. Just needs to be a form or an email address.

FB let's you make a backup copy of your entire website- photos, posts, contacts - the entire thing- in case of a disaster like this and creates a massive .zip file that you can download and keep and later reupload. Very surprised this wasn't ever done by any of the administrators? Valuable lesson learned. Also, FB let's you do two-factor authentication which a challenge passcode being sent to your phone- only the owner(s) of the page can get in via this method and prevents phishing or guessing the primary password. Not sure if it's 100% rolled out house-wide on FB but i have that option on my page.

great info, i just activated all of the above. Thanks :)

That reminds me that i need to do that as well since it's been a year that i've done a full back up. :)

I'd be devastated if I lost my fan page one day... :/ Jeez

I think you just sent out a challenge to hackers.

You should probably backup your page now.

done :P !

There are so many ways to back up facebook with the features to download all your stuff to the desktop, if you ask me these guys pry just did this themselves to draw more attention to their page.

That is very horrible that someone would do that. These hackers should find something better to do. However, this does go to show that you need BOTH a website (with off-site backup), as well as a Facebook page (which is not backed up). Not just rely on Facebook (which is out of your hands, really).

"We don’t even have a way of reaching out to the fan base to rebuild the community from scratch. These aren’t just passive ‘likes’ either. This represents a thriving fan base responsible for a massive Kickstarter campaign and huge support to the team behind the films."

Well...wait a minute. So why aren't they using other channels to reach out to this base and let them know their Facebook page was hacked? From what I'm seeing, Underwater Realm has a Twitter that they can certainly blast out from. They can e-mail their base out of Kickstarter itself. They should also be notifying their YouTube subscribers, etc. This won't bring back every single user of their community, no, but to say "we have no tools to reach our fanbase" isn't totally the case.

I think what they need to decide is which is more important -- getting their fanbase back starting now, or trying to get their original page back. If it's the former, I'd bite the bullet, start from scratch, and post the new FB page on the old one as many times as humanly possible. Start blasting that word out all over the place! And update the links on the YouTube, website, and Vimeo pages, too, as right now everything's pointing to something that's not theirs at the moment.

The whole situation is awful and I really feel for these guys...hopefully Facebook will make it right!

Anyone relying on Facebook for a project of this size frankly needs their head examined. The proper way is to have your own domain and make FB merely a reflection of that.

No offense but I don't know why you wouldn't have had at least ONE other thing other than facebook that you were posting this stuff on. A tumblr? A blogspot? Anything?