Facebook, Messenger, Instagram, and WhatsApp are all down, but CEO Mark Zuckerberg has another headache: The personal data of 1.5 billion customers, scraped from his platform, is reportedly being offered for sale on the dark web.
User IDs, real names, email addresses, phone numbers, and locations are among the data of more than 1.5 billion Facebook customers that’s up for sale, according to a report on the cybersecurity news outlet Privacy Affairs on Monday. The going price has been quoted as $5,000 for a million names.
🚩🚩 Personal Information of Over 1.5 Billion Facebook Users Sold on Hacker Forum— Privacy Affairs (@Privacy_Affairs) October 4, 2021
- Phone number
Appears to be obtained from web scraping.https://t.co/F3qXa7yvge#cybersecurity #cybersec #Facebook #DarkWeb #privacy #hack
The data “appears to be authentic” and was obtained through “scraping” – getting the information that users set to ‘public’ or allow quizzes or other questionable apps or pages to access.
It’s the “biggest and most significant Facebook data dump to date,” according to the publication – about three times greater than the April leak of 533 million phone numbers. Facebook said at the time this was “old data” and the security vulnerability responsible had been patched back in 2019.
Privacy Affairs reported that one purported buyer was quoted the price of $5,000 for a million entries. Another user claimed they had paid the seller but had received nothing, and the seller had not yet responded. The samples of data provided to the unnamed “popular hacking-related forum” appeared to be real, the outlet said.
Facebook, Messenger, WhatsApp, and Instagram, all owned by Zuckerberg’s social media behemoth, were struck by a serious global outage that began on Monday. However, the data dump doesn’t appear to be related to the outage itself.
The scraping obviously took place some time prior, with the first mention of it on the dark web being in early September.
As scraping Facebook data becomes harder some long-time actors are willing to sell their huge bulks on the darknet. The latest announcement contains 1.5 Billion entries and exceeds very much what we have seen so far. #facebook #api #leak #breach #darknet pic.twitter.com/ZhCQ7menhf— Marc Ruef (@mruef) September 7, 2021
While the accounts affected have not been compromised in the strictest sense of the word, cybersecurity experts point out that the users affected will be at increased risk of getting unsolicited texts, ads, and emails from criminals who obtained the purloined data, according to Privacy Affairs.
After this news was initially published, a forum user and prospective buyer claimed they paid the seller but haven’t received anything in return. The seller hasn’t yet responded to these accusations.
All we know at this moment is that the multiple samples provided to forum users appeared to be real.
Samples presented on the forum show that the data indeed seems to be authentic.
Cross-checking them with known Facebook database leaks resulted in no matches, implying that at first glance, the sample data provided is unique and not a duplicate or re-sell of a previously known data breach or scraping.
The seller claims to represent a group of web scrapers in operation for at least four years, alleging that they’ve had over 18,000 clients during this time.
Data Obtained by Scraping
The traders claim to have obtained the data by scraping rather than hacking or compromising individual users’ accounts. Scraping is a process of web data extraction or harvesting where publicly available data is accessed and organized into lists and databases.
While technically, no accounts have been compromised, this is little solace to those whose data may now end up in the hands of unscrupulous internet marketers and likely also in the hands of cybercriminals.
Unethical marketers may utilize this data to bombard specific individuals or groups of individuals with unsolicited advertising.
The fact that phone numbers, real-life location, and users’ full names are included in the data is especially concerning. In addition, SMS and Push notification spam are becoming increasingly more prevalent even though most countries made these practices illegal many years ago.
Data Can be Used to Jeopardize Users’ Security
For example, hackers can use the scraped data to conduct sophisticated phishing attacks or social engineering attacks.
Identifying individual users’ phone numbers makes it possible for cybercriminals to send fake SMS messages to affected users pretending to be various entities such as Facebook itself or even banks.
Users will then be invited to click on a link to either claim a prize, update their security settings, change their passwords, or do something similar.
After accessing the link, they will be redirected to a cloned version of the website the perpetrators pretend to represent. Then, if the user enters their actual current password, the cybercriminals will be able to hijack the affected account.
This is how Facebook accounts and even online banking logins are sold on the dark web for as cheap as just $10.
Facebook Users are Advised to Enhance their Security
It’s generally not recommended for Facebook users to set their accounts to be fully public.
Similarly, one should never enter random quizzes, surveys, or games on Facebook unless offered by a known and verified publisher. Almost always, these are, sadly, schemes used for data mining and scrapping, according to a report by Miklos Zoltan, Founder & CEO Privacy Affairs
- Millions of Vietnamese Facebook accounts stolen
- Personal data of 10,000 Vietnamese leaked and offered for sale online
- Public Security Ministry probing sale of ID card data
- Flight attendant prosecuted for causing Covid-19 community spread
- Sharing personal data no big deal to Vietnamese: survey
- Facebook’s WhatsApp to roll out in-app payments feature in India
- Facebook is prepping an antitrust lawsuit against Apple
- Zalo is thought to be gathering data from iPhone clipboards
- Married Vietnamese couple investigated for trading large amount of personal data
- Users urged to be careful when using Facebook ‘gender swap’