The seedy underbelly of Facebook has surfaced yet again thanks to Bogomil Shopov, an online IT marketing and community management professional from Bulgaria, who recently was able to purchase one million names, email addresses, and Facebook profile IDs.
While browsing the Web for free marketing tools and guides for his business, or “zero budget marketing,” as he told me, Shopov was led to Gigbucks. Gigbucks is an “e-commerce” platform similar to Fiverr, where buyers can purchase services or products for as little has $5 or as much as $50. But what he stumbled on was an offer for one million Facebook accounts and their email addresses that were mined from a Facebook app. Out of curiosity, Shopov purchased the Excel list for $5 and shortly thereafter received the list as promised. He recognized that the header was Turkish, indicating that the developers responsible for procuring the user information were from Turkey, but the accounts were primarily of users located in the United States, Canada, and the UK.
After publishing his blog post detailing the transaction, Facebook reached out to Shopov via phone to find out how exactly he’d gotten his hands on all this data. And when we checked out the URL again today, we noticed that the offer had been taken down from Gigbucks. Shopov told us that Gigbucks’s administrators notified him last night that the offer was removed, likely at the request (read: demand) of Facebook.
As Facebook has introduced more seamless interactions into Facebook Connect and its Open Graph apps, it’s become more difficult to know what you’re giving up and what you’re giving access to; it’s all much less noticeable than it used to be. Users may not realize that it’s rather simple for developers to mine your information; too many of us assume that third-party Facebook app developers won’t use your information like this. “The data that we voluntarily provide to social networks, even as we police our privacy settings, is becoming increasingly vulnerable,” says Robert Leshner, founder of Safeshephard. “It’s not Facebook or even LinkedIn that we have to worry about,” Leshner adds. “It’s the weakest link in the privacy chain, and right now that’s third-party apps. The walled garden of Facebook isn’t very well walled off – it’s crumbling.”
How third-party developers do this is by creating apps (that may or may not offer value) for the sole purpose of collecting user data, a practice we’ve talked about before. When you first use a Facebook app, a page pops up that describes the information you’re permitting the developer to access. Your email address, name, user ID, gender, and other basic information is fair game — and if it gets into the wrong hands, can then be aggregated into a tidy list and sold off.
There’s a rather large incentive among blackhat marketers to pay for this valuable list of real email addresses and Facebook accounts (Facebook, after all, has made a name for itself as the proprietor of real identities). These addresses can be used to boost the number of followers on Facebook pages (through invitations), or Facebook users can be placed on email lists. It can also be used to target these specific users based on email addresses, phone numbers, and user ID. Note that you can find the Facebook account associated with an email address simply by typing the email into Facebook’s search bar, similarly to how a researcher previously discovered the Facebook profiles associated with the phone numbers.
A simple Web query reveals an expansive and thriving underground market for Facebook IDs linked to email addresses. It’s reminiscent of the market for hacked Twitter accounts that we reported on earlier this month. In fact, we were able to purchase a couple of these lists for a little as $5 each. Like Shopov, we were sent a .rar file with several .txt files listing over 1.5 million email addresses, names, and Facebook profile IDs. And yes, it really was that easy.
What one of the sellers revealed to us just how prevalent and common the practice of buying and selling this data is: He purchased a list of 32 million email addresses and Facebook accounts from his friends and repackaged the list into sets of between one and two million email addresses to resell. There also appears to be some reusing and recycling going on, as we realized we’d purchased duplicate lists from two different sellers.
With our increasing reliance on using Facebook or other social networks to access third-party applications, our data can be easily misused and profited from by third-parties. Before you allow an app access to your information next time around, you might want to be more mindful.
We reached out to Facebook and will update you with their response.