As a Lead Community Trainer with Facebook Australia & New Zealand, I end up being a person who fields a lot of support questions about Facebook & Instagram. Everything from asking why Facebook won’t show their page posts to more people, to the worst case scenario — a hacked Facebook account. And sadly, that one has been coming up a lot recently.

Case 1 was a man who was running multiple Facebook pages and groups when he was hacked. He was quickly kicked off those pages as an Administrator and his advertising account on Facebook was used to send ads for fast moving consumer goods from a fake store in India.

Case 2 was a woman whose home renovation business was heavily dependent upon advertising and lead generation from Facebook. Most of her new business and messages were coming from Facebook. So when she was hacked, she was immediately downgraded to an editor of her Facebook page. She was still able to post and get messages, until the hacker started posting stuff that violated Facebook’s Community Standards. And that stuff was so bad that Facebook banned her account within 24 hours of the hacking taking place.

Case 3 was an all-too-similar story. This time they got in via her email. She had spent 10 years cultivating a community of followers through her three business pages. She has 10 years of memories, photos, experiences and friendships gained. They were all gone within 48 hours of a panicked non-response to an email from Facebook warning that someone had tried to login to her account and that she needed to verify if it was her or not. She didn’t. And by the time she did try to do something about it over a week later, it was too late. Facebook had refused her late actions.

The problem with all three of these cases comes down to passwords. Easy to guess, easy to reverse-engineer and easy-to-take-advantage-of passwords. In two of the cases, their passwords hadn’t changed since before 2014. And worst of all, they use the same password on almost everything they login to.

A decade of cybersecurity horror stories on television news. Countless warnings from the Australian government. Countless state and territory government workshops, seminars, reports, warnings, television and radio ads. I’ve lost count of the number of cybersecurity workshops I’ve had to cancel in the last two years because small business owners are simply not interested in it. It’s not as cool as learning to make graphics in Canva. It’s not as interesting as learning how to make great posts on Facebook. It’s not as sexy as learning how to turn LinkedIn into a digital sales funnel.

There is a reason why, upon sign-up, and at many times during the life of your Facebook accounts and Gmail accounts and LinkedIn accounts and bank accounts, that companies asked you… no… practically plead with you to enable 2-factor or multi-factor authentication even by doing something as little as enabling your phone to receive a text message to verify any major changes or unrecognised logins to your accounts.

It’s for moments just like these.

But of course, it won’t happen to me. Why would a hacker be interested in my account? I’m just a small business in Darwin or Townsville or Bargo or Yackandandah. It couldn’t possibly happen to me.

In 2010 my Twitter account was hijacked by Russian hackers. I never got it back. In 2016 my Facebook account was hacked. I never got it back. In 2017 my Facebook ads account was banned. It’s never been reversed. Naturally I have started a new Twitter profile. And a new Facebook profile. And set up a new Facebook ads account. But only after I lost years of travel photos, memories and work history.

It happened to me. It happened to them. It will happen to you.

Get better passwords. Don’t use the same one on multiple accounts. Use a password manager like LastPass. Don’t make a password that uses the name of your husband, child, grandchild, dog, suburb or anything that someone could guess based on your Facebook posts, photos, online profile information or by just looking at your desk at work. Frighteningly, over 80% of passwords can be guessed fairly quickly using those things.

You’ve been told almost all of your digital life to not do those things. So when you continue to do them, it’s not Facebook’s fault that you’re losing business. It’s not Google’s fault that someone is sending disgusting emails from your address, it’s your fault.

Prioritise your online security. Now.

Dante St James is a founder of Clickstarter and a Lead Community Trainer with Facebook Australia and New Zealand.