Skip to content
Naked Security Naked Security

Private Facebook data from 81,000 accounts discovered on crime forum

Stolen data from the 81,000 accounts that appeared to be genuine included intimate exchanges between Facebook users.

Malicious browser extensions have been blamed for the theft of private messages and data from 81,000 Facebook users recently discovered for sale on a cybercrime forum.
According to the BBC Russian Service investigation, samples of the data were discovered in September being hawked for 10 cents per account on an English-language forum with Russian connections.
Most of the breached accounts were from Russia and Ukraine, but Facebook users in the UK, Brazil and other countries are also among the victims, the BBC said after verifying the find with UK cybersecurity company Digital Shadows.
Criminals offered another 176,000 accounts although it’s possible that some of the email address and phone number data in this cache could simply have been scraped from public profiles.
Stolen data from the 81,000 accounts that appeared to be genuine included intimate exchanges between Facebook users. One example, according to the BBC,

included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.

When the BBC posed as a buyer, the seller claimed he could supply access to a further 120 million accounts, which Digital Shadows believes is probably untrue because it implies a huge data breach Facebook would have noticed.
This is a big problem for investigators: working out what’s been stolen or breached can be difficult when cybercriminals make exaggerated or false claims about what they have in their possession.

Are rogue browser plug-ins to blame?

Where did the data stolen from the 81,000 accounts come from?
The BBC story suggests the most likely culprits are rogue desktop browser plug-ins or extensions, but doesn’t offer any conclusive evidence.
Given the cache’s relatively small size and concentration on Russian accounts, this seems plausible.
Malicious desktop extensions, used by criminals not only to steal data but push adware pop-ups and bogus tech support scams, are a problem stretching back years.


Chrome’s popularity makes it the choice target, but Firefox and other browsers are also in the firing line.
Facebook told the BBC it knew of a rogue extension designed to steal data from its users, although it refused to name names.
In other cases, extensions can be a gray area, for example the case of a Chrome marketing extension discovered earlier this year by Facebook to be exploiting a loophole to discover the names of people in ‘closed’ groups.
Browser makers – stand up Google – are trying to get on top of this issue but reports of newly-discovered rogue extensions keep cropping up.
It’d be easy to say “don’t install suspect or unknown extensions”, but life isn’t that simple.
An extension can be innocuous when you first download it but turn bad at a later date. Because extensions update automatically, this change can be incredibly difficult to spot.
The soundest advice is to download as few as possible, pick on known publishers, and disable them when not in use. Always download by visiting the browser maker’s repository and not by following web links.

13 Comments

Consider using open source browser Brave. Works well, only drawback (if you want to call it that), it doesn’t support FLASH. It gives the user the option of blocking ALL ads. There are no follows, privacy is total.

Again, why are so many people still supporting Facebook by using their service? This is a tech company that fails time and again to secure the only information they have, which is your information. Their failings are mostly due to design this is how they make money, this is what happens when you have a human element involved… people taking advantage of other’s… time to leave this situation. Grow up and move on.
Facebook is a shameful company, what is even more shameful is the number of sheep that will read this article and the countless ones as of lately disclosing breached data and after consuming these articles you all go back to using Facebook, such a weak society, skynet please fix these people.

Floppyedonkey, you are clearly not a fan of Facebook, but you offered no viable alternative. Do you have some to offer up?

How to stay in contact with Friends and/or Family, especially when many of the members are not tech-savvy (and not just phone or email)? Honestly, there isn’t an available option out there, except may start your own Facebook? That’s not very central; who has time to support that?

Bojangles,
Your point about tech-savvy users is fair. However, those users intimidated by (or flummoxed by) email are precisely the same users who’ll be taken to the cleaners by the first Facebook scam to come across their page.

@Anonymous, @Nev, @Mr. Bojangles: I propose email.
Email is less convenient …but nearly as quick while paying attention and expecting a reply.
Lacking Facebook’s polished sheen, attaching a photo or three is nonetheless trivial. More “work” than Facebook’s sitting on the couch and operating for an hour with a single thumb; email’s archive must be manually searched. Email won’t interrupt the user, “hey, remember this day last year!” One must proactively seek one’s own reminiscent byways.
Email’s “flaw” is that it’s not as spoon-feedy, not as pretty. And the masses have a hard time not being spoonfed, dislike going without their pretty.
This is decidedly a first-world problem.
Is it so much to expect a user to do 1% of their entertainment work? Would someone with 541 Facebook friends truly care about retaining them all if they had to manually type an email? So then what’s the point of hoarding those remaining 441?
If a press of the “like” button is all someone is worth to me…I won’t likely miss them if it’s been a while. Conversely if someone is important, my connection to them won’t perish contingent upon those sixteen bales of Farmville straw.
And all of this still ignores tried-and-true alternatives to a contrived dilemma: writing paper letters may seem archaic in 2018–but it still works. Moreover, nearly everyone has a telephone (Facebook users have phone, computer, or both), most of which can Facetime or Skype. SMS is always a fallback, for when the obtrusive phone call is overkill.
To assert that Facebook is required, to present it as a necessity… is patently false.

I never said Facebook was a necessity, I am just saying for me personally I would rather take the risk of using it than lose out on what good it does provide.
I can only think of two reasons I keep Facebook around, and e-mail does a poor job of replacing them.
1. I worry about losing contact information for certain friends. Facebook let’s you keep in touch with geographically distant friends that you don’t talk to often. People’s phone numbers change and they forget to tell you, e-mails get hacked (and start sending you spam). If their Facebook gets hacked, at worst they make a new one and you can look them up again. I have about 30 Facebook friends, I do not hoard friends, but there are old friends that got married and moved and we don’t talk very often but like to keep in touch.
2. Photo/Experience sharing. A friend has a housewarming party, halloween party, house renovation, etc. and uploads 20 pictures of it. I’d like to keep seeing these. I think it would be a bit selfish to say “Hey, I’m leaving Facebook so start uploading that to a photo gallery for me and e-mail them”. Could they start just sending those photos to everyone via e-mail instead of Facebook? Yes, but everyone would have to get on board. Not likely to happen. Also, on Facebook you could just unfollow the person, but via e-mail you have to say “Hey, I don’t need a picture of your kids every single day, and FFS stop sending me memes!”.
Someone write an app for these two problems and get everyone on board and I’m all set. Ha!

You make solid points. I particularly like this:
People’s phone numbers change and they forget to tell you

1. Old people like to stay in touch – and not depend on forums/blogs that are hard to find and will die when the one person that manages it does. Grow up and move on yourself – what you put on FB or MySpace (still alive) is up to you. Make a profile that says you are a gun hating abortion loving democrat when you are a republican, or a gun loving abortion hating republican if you are a dem, fool the government and advertisers if it tickles your fancy. Don’t make a profile if you don’t want to, its as easy as not typing. Big companies will always harvest the human crop, just keep your head down as the blade swings and you’re all set. But to be really real – of all the places that breach your data FB is just about the only one of them that you don’t have to give your: Real name, address, SS#, CC#, or anything like that – so as far as being secure – I could care less, I never expected security from a public facing data company- so they leak my FB name, and some photos from holloween, pffft, Equifax and BCBS leaked data I do care about, FB is nothing to me data wise. The ONLY thing I am careful about is; not posting when I will be away from the house. Vacation comments, photos and such go up after I am back.

LOL you all want an alternative, the alternative is don’t be a keyboard warrior and get out and do stuff, talk to the people that are around you. Why are you all so concerned about people that are not present. lol get strong, weaklings

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?