On top of the other scandals surrounding Facebook at the moment, a new investigation has discovered that identity thieves regularly make use of the social network to spread and sell people’s personal information. The investigation turned up sales posts for credit card and social security numbers, alongside other personal information, some of which dates back years and is still live on the site.
Although the sale of personal information is often most associated with sites on the dark web, Facebook appears to be a popular avenue of sale, too. The activity isn’t even well hidden. Motherboard’s investigation turned up a plethora of public posts that offered a variety of personally identifiable information. Such data could be used to make fraudulent bank transfers, clear out Paypal accounts, take out loans in a person’s name, or steal their identity entirely.
Posters also listed contact details for potential buyers, alongside prices for the various pieces of personal information they had for sale.
As Motherboard highlighted though, what was most worrisome about these posts is that they have existed on Facebook for years without being taken down. In some cases, posts from 2014 were discovered and were only pulled by Facebook after being actively reported by the investigation.
Security professionals have exhibited surprise and concern that Facebook doesn’t have automated systems in place to block, or at least highlight such posts. They assert it should be easy for Facebook to do so, even with the sheer size of the organization and its now multiple billions of users.
Facebook later released a statement on the matter:
“We work hard to keep your account secure and safeguard your personal information. Posts containing information like Social Security numbers or credit card information are not allowed on Facebook, and we remove this material when we become aware of it. We are constantly working to improve these efforts, and we encourage our community to report anything they see that they don’t think should be in Facebook, so we can take swift action.”
This report follows a recent one by KrebsOnSecurity which highlighted how groups dedicated to sharing hacked information had hundreds of thousands of members, each leveraging Facebook to gain access to stolen information or new malware.