Illustration of a hacker using session hijacking to steal information

Protecting Your Social Media from Hackers

* Time Poor? Just want the answer without the context? Click the TLDR or here to skip straight to the short summary!

Introduction

Social media is essential for wedding suppliers. It connects us with clients, showcases our work, and helps grow our businesses. But what happens if your account gets hacked? What would be the impact on your business?

A friend of mine went through a nightmare recently. In just 20 seconds, hackers took over his Facebook and Instagram accounts, locked him out, and spent £1,800 on ads using his PayPal. To make it worse, since PayPal was a pre-approved payment method for Meta, they sided with Meta and refused to refund his money!

To add insult to injury, even though he had paid for Meta verification, he still hasn’t regained access after six weeks. The very service that he was paying for to help him recover his account has let him down when he needed it the most!

He wasn’t careless or naive either with his IT security. His software was up to date, strong passwords, installed antivirus protection and used two-factor authentication (2FA). Yet hackers still got in. How? Through session hijacking. All he did was open an infected email, he didn’t even click on anything!!

What Is Session Hijacking?

Session hijacking is when hackers steal your browser cookies and use them to access your accounts without needing your password or 2FA. Cookies are small files that keep you logged in. When stolen, they can trick platforms like Facebook and Instagram into thinking the hacker is you.

This method is dangerous because it bypasses passwords and security codes. The hacker doesn’t need to steal your credentials—they simply take over your active session.

Why Is Session Hijacking So Dangerous?


Difficult to detect – You can have your session data stolen by simply opening an email! Not opening the attachment, I mean literally just opening the email! Another popular way is hackers hijacking a Chrome extension that you use and both cases, you won’t know until it’s too late.
Works even with strong security – Antivirus, complex passwords, updated software, and 2FA does not stop this attack. Hackers just bypass the login checks because Facebook/Instagram wrongly believe the hacker’s computer is actually you.

Best Practices to Stay Safe

  • Log out after using your social media.
  • Use strong, unique passwords and a password manager (Check out Bitwarden which is totally FREE!)
  • Be cautious with browser extensions – Some may steal cookies
  • Regularly clear cookies and cache to reduce risk.

How to Protect Your Social Media Accounts

There are two steps you can take to improve security. The following works on Google Chrome and Brave. If you are using a different browser that uses the Chromium engine then this may not work so you may have to check with the browser support team for further instructions.

1. Enable Bound Session Credentials

Google introduced this setting in April 2024, but haven’t really publicised it and is turned off by default. This feature makes it harder for hackers to exploit session hijacking by tying your login session to your specific machine using your CPU’s Trusted Platform Module (TPM). This means if a hacker steals your session cookies, they won’t work on another device. Computers after 2016 should have TPM, so this should not be an issue unless you are using very old hardware.

Screenshot of Chrome with the bound session credentials flag screen

2. Turn on Enhanced Safe Browsing

This setting provides stronger protection against phishing and malicious sites.

  • Go to Settings
  • Select Privacy & Security
  • Click Security
  • Under Safe Browsing, select Enhanced Protection
Turning on Chrome enhanced protection

Conclusion

Session hijacking is an awful hack that I’ve seen happen to too many of my fellow wedding suppliers. Up until now, it has been a constant worry since there seems to be little we could do to defend. I’ve tried switching browsers and logging out after each session but given how pervasive Chrome is and the inconvenience of repeatedly logging in/out, it’s been a struggle to balance working efficiently with security.

Whilst I’m not going to guarantee you now can’t be hacked, enabling enhanced safe browsing and session bound credentials will make it much harder for hackers to gain access to your social media accounts and cause havoc.

Until Meta implements passkeys and/or Chrome turns on bound session credentials by default then session hijacking will remain a huge threat and potentially cost you thousands of pounds of your hard earned cash. And cause heaps of worry, possibly losing years of hard work on your social media accounts. I hope the above tips will help you keep one step ahead of the hackers! Stay safe out there!

Sources:

Chromium Blog

Keeper Security

NordPass

TLDR

If you’ve clicked on this then you just want the answer(s) without the context or background. So here it is:

  • Go to Settings
  • Select Privacy & Security
  • Click Security
  • Under Safe Browsing, select Enhanced Protection
  • Open a new tab and type into your browser: chrome://flags#enable-bound-session-credentials
  • Set it to Enabled
  • Relaunch your browser

That’s it! The above should help you keep one step ahead of the hackers! Stay safe out there!