The ALA lost control of its Facebook page over the weekend so this seems like a pretty good time to review IT Security! Any size small or midsized organization is difficult, if not impossible to secure. It's very easy to overlook things and leave ourselves vulnerable to things like this.
Who/Why: That person that did it, it's probably their job. They're most likely professionals, either they get paid by others, or this is the life they've carved out for themselves. If you're lucky enough to have a considerable numbers of followers/friends, you'll be a target eventually. Chances are good it's not personal, it's just business. These people are probably just trying to make money. It may also be you're just a small step in a much larger campaign.
How: Mostly likely one of three ways. One of the people with the login credentials gave it away. Either they had their email account compromised, or maybe one of their devices was hacked. It could be someone used an infected public network and gave it away without knowing it. It could be someone was “spear fished” and replied to an email that looked like it came from someone else. Maybe someone lost a password in another compromise and that same password was reused.
Review Your Settings: Take a look at all the security and privacy settings. Now. And again every few months. Facebook has an especially wide range of settings you can change. Those controls are all there for you to limit risk, control who can see what on your profiles, and make things better for you. There are settings in there to help you recover from a comprimied account as well.
Passwords: Make them LONG, at least 20 characters. Make sure you know who has access and how they are storing those passwords. Every single accounts needs a long, strong, unique, rare password. Better yet, a different email account for every account as well. Change that password monthly. Checkout all the different password managers out there, I use LastPass, but there are many more.
Be suspicious: Funny looking emails or links in social media are DANGEROUS. If you're not 100% sure of the source, either ask or just hit delete.
Stay in control: Know who in the library has access to what. Your library needs to have control over who is posting what. The more people that have logins, the less secure things become. Try HootSuite or other managers and you can give access without giving away the credentials.
Who and what else has access: Check those 3rd party apps that have been authorized and make sure you know what they can do and why. Get rid of everything you don't need.
A few good tips to follow in general...
1. Keep EVERYTHING on your ALL devices updated.
2. Keep your web browsers ALL updated.
3. Run some security and privacy plugins on your browsers.
4. Train. Have someone like Alison Macrina (https://libraryfreedomproject.org/contact/) or Me come in and spend a few hours with your staff.
5. Turn on second factor authentication.
6. Keep things backed up!