I don't understand the step where the author is logging in with Facebook.
Was that a legit OAuth 2.0/OpenID Connect log in? (In this case this must have been OAuth 2.0 with a scope giving the application write access to business stuff.)
Or was it a phishing page in which the author gave his facebook password?
I believe it was actually OAuth or else FB would have likely blocked the login from another country or at the bare minimum sent OP a suspicious login email.
Was that a legit OAuth 2.0/OpenID Connect log in? (In this case this must have been OAuth 2.0 with a scope giving the application write access to business stuff.)
Or was it a phishing page in which the author gave his facebook password?