Breach, Threat Management, Data Security, Network Security

Facebook users’ data, private messages found up for sale online

Facebook is reportedly suggesting that malicious browser extensions may be behind yet another data breach affecting users of the social media platform – this one involving at least 257,256 stolen profiles, including 81,208 that included private messages.

Journalists from the BBC, aided by researchers from Digital Shadows, began investigating the matter last September after seeing the accounts advertised on BlackHat SEO, an English-speaking internet forum. The seller, who went by the name “FBSaler,” offered to sell details from as many as 120 million Facebook accounts, while posting the 257,000+ profiles as a sample. (The researchers have expressed doubt that the perpetrator truly possesses 120 million accounts, and the original post has since been removed.)

A Nov. 2 Digital Shadows blog and BBC article confirmed that the posted dataset contains user names, addresses contact numbers, user interests and, in some cases, friends, groups and private messages. A large contingent of victims – 30 percent – are based in Ukraine, while nine percent reside in Russia. But users in the U.S., the U.K. and Brazil were also notably affected.

According to BBC and the researchers, Facebook is blaming the incident on malicious browser extensions, thus denying fault on its part. The company, however, reportedly did not name the specific extensions, and Digital Shadows said Facebook has "still not been definitive about this," and "the method used to obtain the accounts remains unconfirmed."

Guy Rosen, VP of product management at Facebook, shared the same theory with SC Media. “Based on our investigation so far, we believe this information was obtained through malicious browser extensions installed off of Facebook," said Rosen. "We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related. We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts. We encourage people to check the browser extensions they've installed and remove any that they don't fully trust. As we continue to investigate, we will take action to secure people's accounts as appropriate.”

"Regardless of attribution, motives and the method of collection, the exposure of private messages where people share information they would not usually post publicly on their Facebook feeds is a potentially worrying development," wrote Digital Shadows Senior Strategy and Research Analyst Rafael Amado. "Sensitive information may be used for extortion of identity fraud, while it’s not unheard of for individuals to share financial information such as banking details over private messages."

Digital Shadows also noted that one of the websites where the data was published was apparently set up in St. Petersburg and its IP addresses has been used before to spread LokiBot password-stealing malware.

Facebook is already beleaguered by a series of data breach and privacy controversies, including the Cambridge Analytica scandal and a September 2018 data breach in which hackers leveraged a trio of vulnerabilities to steal roughly 30 million user access tokens.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.