Skip to main content

A field trip to the Facebook black market in which we buy 1.5 million accounts and email addresses for $5

facebook black marketThe seedy underbelly of Facebook has surfaced yet again thanks to Bogomil Shopov, an online IT marketing and community management professional from Bulgaria, who recently was able to purchase one million names, email addresses, and Facebook profile IDs. 

While browsing the Web for free marketing tools and guides for his business, or “zero budget marketing,” as he told me, Shopov was led to Gigbucks. Gigbucks is an “e-commerce” platform similar to Fiverr, where buyers can purchase services or products for as little has $5 or as much as $50. But what he stumbled on was an offer for one million Facebook accounts and their email addresses that were mined from a Facebook app. Out of curiosity, Shopov purchased the Excel list for $5 and shortly thereafter received the list as promised. He recognized that the header was Turkish, indicating that the developers responsible for procuring the user information were from Turkey, but the accounts were primarily of users located in the United States, Canada, and the UK.

Recommended Videos

After publishing his blog post detailing the transaction, Facebook reached out to Shopov via phone to find out how exactly he’d gotten his hands on all this data. And when we checked out the URL again today, we noticed that the offer had been taken down from Gigbucks. Shopov told us that Gigbucks’s administrators notified him last night that the offer was removed, likely at the request (read: demand) of Facebook.

As Facebook has introduced more seamless interactions into Facebook Connect and its Open Graph apps, it’s become more difficult to know what you’re giving up and what you’re giving access to; it’s all much less noticeable than it used to be. Users may not realize that it’s rather simple for developers to mine your information; too many of us assume that third-party Facebook app developers won’t use your information like this. “The data that we voluntarily provide to social networks, even as we police our privacy settings, is becoming increasingly vulnerable,” says Robert Leshner, founder of Safeshephard. “It’s not Facebook or even LinkedIn that we have to worry about,” Leshner adds. “It’s the weakest link in the privacy chain, and right now that’s third-party apps. The walled garden of Facebook isn’t very well walled off – it’s crumbling.”

How third-party developers do this is by creating apps (that may or may not offer value) for the sole purpose of collecting user data, a practice we’ve talked about before. When you first use a Facebook app, a page pops up that describes the information you’re permitting the developer to access. Your email address, name, user ID, gender, and other basic information is fair game — and if it gets into the wrong hands, can then be aggregated into a tidy list and sold off.

There’s a rather large incentive among blackhat marketers to pay for this valuable list of real email addresses and Facebook accounts (Facebook, after all, has made a name for itself as the proprietor of real identities). These addresses can be used to boost the number of followers on Facebook pages (through invitations), or Facebook users can be placed on email lists. It can also be used to target these specific users based on email addresses, phone numbers, and user ID. Note that you can find the Facebook account associated with an email address simply by typing the email into Facebook’s search bar, similarly to how a researcher previously discovered the Facebook profiles associated with the phone numbers.

Image used with permission by copyright holder

A simple Web query reveals an expansive and thriving underground market for Facebook IDs linked to email addresses. It’s reminiscent of the market for hacked Twitter accounts that we reported on earlier this month. In fact, we were able to purchase a couple of these lists for a little as $5 each. Like Shopov, we were sent a .rar file with several .txt files listing over 1.5 million email addresses, names, and Facebook profile IDs. And yes, it really was that easy.

What one of the sellers revealed to us just how prevalent and common the practice of buying and selling this data is: He purchased a list of 32 million email addresses and Facebook accounts from his friends and repackaged the list into sets of between one and two million email addresses to resell. There also appears to be some reusing and recycling going on, as we realized we’d purchased duplicate lists from two different sellers.

With our increasing reliance on using Facebook or other social networks to access third-party applications, our data can be easily misused and profited from by third-parties. Before you allow an app access to your information next time around, you might want to be more mindful.

We reached out to Facebook and will update you with their response.

Francis Bea
Former Digital Trends Contributor
Francis got his first taste of the tech industry in a failed attempt at a startup during his time as a student at the…
Bluesky finally adds a feature many had been waiting for
A blue sky with clouds.

Bluesky has been making a lot of progress in recent months by simplifying the process to sign up while at the same time rolling out a steady stream of new features.

As part of those continuing efforts, the social media app has just announced that users can now send direct messages (DMs).

Read more
Reddit just achieved something for the first time in its 20-year history
The Reddit logo.

Reddit’s on a roll. The social media platform has just turned a profit for the first time in its 20-year history, and now boasts a record 97.2 million daily active users, marking a year-over-year increase of 47%. A few times during the quarter, the figure topped 100 million, which Reddit CEO and co-founder Steve Huffman said in a letter to shareholders had been a “long-standing milestone” for the site.

The company, which went public in March, announced the news in its third-quarter earnings results on Tuesday.

Read more
Worried about the TikTok ban? This is how it might look on your phone
TikTok splash screen on an Android phone.

The US Supreme Court has decided to uphold a law that would see TikTok banned in the country on January 19. Now, the platform has issued an official statement, confirming that it will indeed shut down unless it gets some emergency relief from the outgoing president.

“Unless the Biden Administration immediately provides a definitive statement to satisfy the most critical service providers assuring non-enforcement, unfortunately TikTok will be forced to go dark on January 19,” said the company soon after the court’s verdict.
So, what does going dark mean?
So, far, there is no official statement on what exactly TikTok means by “going dark.” There is a lot of speculation out there on how exactly the app or website will look once TikTok shutters in the US.

Read more