Skip to main content

Hackers sold 120 million private Facebook messages, report says

Image used with permission by copyright holder

Up to 120 million private Facebook messages were being sold online by hackers this fall, according to a report from the BBC. The breach was first discovered in September and the messages were obtained through unnamed rogue browser extensions which monitored users by mining their information while browsing through the social media website.

Although Facebook is claiming that its systems were not breached as part of the hack, affected users were primarily based in Ukraine and Russia. Some users from the United States were also reportedly impacted after a hacker on an online forum attempted to sell the Facebook information at a rate of 10 cents per account.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores. …We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts,” Facebook executive Guy Rosen told the BBC.

Sample data from 81,000 Facebook profiles was also posted online by hackers in order to gain interest in possible sales. The group behind the hack originally told the BBC that data from 120 million Facebook accounts were up for purchase, but cybersecurity experts have been skeptical of that figure.

Still, BBC spoke to impacted users who revealed their information was indeed stolen and also listed on the forum. Data from those accounts included photos from a vacation, a chat about a Depeche Mode concert, and even an “intimate correspondence between two lovers.”

This is not the first time that Facebook has faced a hack. In September, the social media platform announced that up to 50 million accounts were compromised due to a flaw in access tokens and the “View As” feature.

As this latest hack involves the use of browser extensions, it is always best to check which source an extension is coming from, and which permissions it is being granted access to. That is a small step to take, but Google has been larger steps to ensure extensions are safer. In Chrome 70, consumers can restrict host access (website access) by clicking on an extension and selecting an option from the drop-down menu.

Editors' Recommendations

Arif Bacchus
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
Facebook faces another huge data leak affecting 267 million users
mark zuckerberg speaking in front of giant digital lock

More than 267 million Facebook users’ IDs, phone numbers, and names were exposed to an online database that could potentially be used for spam and phishing campaigns. 

Security researcher Bob Diachenko uncovered the database, according to Comparitech. The database was first indexed on December 4, but as of today, December 19, it is unavailable. Comparitech reports that before the site was taken down, the database was found on a hacker forum as a downloadable file. 

Read more
Hackers stole 26 million credit cards, but vigilantes just rescued them
wallet with cash and cards

In an ironic twist of fate, BriansClub, a black market site that contains stolen credit cards, was hacked to rescue the data of more than 26 million credit and debit cards. 

KrebsOnSecurity reports that the data stolen in August from the site, which goes by the name BriansClub[.]at was shared with financial institutions who were able to identify, monitor, and reissue cards that were compromised. 

Read more
Iranian hackers targeted 2020 U.S. presidential candidates, Microsoft says
Person typing on a computer keyboard.

A series of cyberattacks targeted at U.S. presidential candidates and their campaigns, journalists, and current and former government officials is said to be linked to and backed by the Iranian government, according to a recently published report from Microsoft's Threat Intelligence Center. According to Microsoft, the Phosphorous group is behind the attacks, and the hackers were observed to have made more than 2,700 attempts in identifying Microsoft customer emails in a 30-day period between August and September. Among those attempts, hackers tried to gain access to 241 of those accounts.

In order to carry out the account hack, Phosphorous used personal information about their targets obtained through copious amounts of research. The information was used to game password reset and account recovery features, Microsoft said.

Read more