Hackers broker access to '120m Facebook profiles' as 81,000 users' messages published

Facebook icon displayed on a smartphone before a screen with the full logo

Hackers have published at least 81,000 Facebook users' private messages, and are offering to broker access to profiles for as little as 8p per account.

The perpetrators behind a fresh attack targeting the social media giant have reportedly stolen details from 120 million accounts, with affected most heavily affected users based in Central and Eastern Europe, and few in the US.

The malicious attackers behind the breach told the BBC Russian Service they sell personal information of Facebook users, and were seen to advertise access for 10 cents, roughly 8p, per account. This advert has since been taken offline.

On top of 81,000 profiles with private messages published online, a further 176,000 accounts displaying personal information were also released. Many of these profiles, however, included information users may set public themselves such as email addresses and phone numbers.

BBC News asked cyber security firm Digital Shadows to verify the claims made by the malicious actors and confirmed more than 81,000 of profiles uploaded online, as a sample for the 120 million-strong database, contained private messages.

Five Russian Facebook users whose private messages were published online were then approached to verify their identity.

The IP address for one of the websites on which data was being sold has been flagged by the Cybercrime Tracker service as having been used to spread the LokiBot Trojan, used to gain access to users' passwords.

But Facebook told IT Pro the data most likely stolen as a result of a browser extension, which they have declined to identify.

"Based on our investigation so far, we believe this information was obtained through malicious browser extensions installed off of Facebook," Facebook's vice president of product management Goy Rosen said.

"We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related."

Facebook said it began its investigation last month after becoming aware that a website was displaying information pertaining to a set of user profiles, with a spokesperson saying they have tried to get the site taken down.

Based on the information it has gathered, the social media firm does not believe any accounts have been directly compromised.

Industry experts, meanwhile, have cast doubt on the '120 million' figure, saying it is unlikely Facebook would have missed such a large breach.

"It is very unlikely that the cybercriminals have all the private message for 120 million accounts and if they do, then Facebook will be facing one of the biggest data breaches to date," said Thycotic's chief security scientist Joseph Carson.

"It is however, more likely that the published list of 81,000 accounts is all that the cybercriminals have, and they are looking to cause disruption and fear."

This chimes with the thoughts of High-Tech Bridge's CEO Ilia Kolochenko, who said at first glance the attackers' claims appear dubious.

"81,000 accounts is a very small amount for Facebook, and I would not be surprised if these accounts come from a large-scale password reuse attack," he said.

"Modern Dark Web is overcrowded with fake offers of stolen data, and this could be just another case of that."

Facebook added that its investigation doesn't suggest 120 million accounts were obtained.

The latest attack, which was not detected at the time it occurred, is not thought to be related to a massive data breach the social network suffered in September.

Access tokens for up to 30 million Facebook users from around the world were compromised after attackers exploited a combination of flaws with the platform's user interface. Three million of those affected are EU-based.

With Facebook already under investigation by the Irish Data Protection Commission for potential violations of the EU's General Data Protection Regulation (GDPR), this latest incident could not have struck at a worse time.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.