Then the receipts started coming. Someone had paid for two Facebook advertisements totalling $308 with the credit card she'd saved to her account.
The receipts sent to Mrs Lyons, of Pt Chevalier, show one of the advertisements was for a Norwegian sports shoe website worth $285 and for a Wikipedia page about Martin Luther King Jnr's Birmingham campaign in Alabama, worth $16.57.
The hackers also added a Hong Kong phone number to her account.
Mrs Lyons, a communications contractor at the New Zealand Breast Cancer Foundation, had assumed her credit card details were secure because such a flaw in Facebook's security would be detrimental to a company now publicly listed.
To make payments with a card previously saved on the site, users just have to re-enter their password.
Mrs Lyons has deleted her credit card details from Facebook and wants others to be aware of the problem. She's also told her bank that the charge wasn't hers and has tried to contact Facebook, but hasn't been able to make direct contact.
"Facebook is such a faceless organisation. The only response I've had from Facebook is some lame security settings that tell you to reset your password."
Mrs Lyons emailed Facebook telling them to reverse the charges after they messaged her on Saturday warning there had been some irregular activity on her account and that she needed to secure it.
Netsafe chief executive Martin Cocker said people needed to be cautious of any sites that suggest you save credit information for future use.
He said people needed to choose strong passwords which use numbers and capital letters.
"If someone else logs on to your account then they can use your card. But what they can't do usually, if the system is appropriately set up, is use the details of your credit card outside of the system."
People who want to contact a non-friend can now pay 65c to send the message to a person's inbox with an automatic alert, or send the message for free to a less visible folder.