Hackers
appear to have compromised and published private messages from at least 81,000
Facebook users' accounts.
The
perpetrators told the Media that they had details from a total of 120 million
accounts, which they were attempting to sell, although there are reasons to be
sceptical about that figure.
Facebook
said its security had not been compromised.
And the data
had probably been obtained through malicious browser extensions.
'Law
enforcement'
Facebook
added it had taken steps to prevent further accounts being affected.
Owojela’s
Blog understands many of the users whose details have been compromised are
based in Ukraine and Russia. However, some are from the UK, US, Brazil and
elsewhere.
The hackers
offered to sell access for 10 cents (8p) per account. However, their advert has
since been taken offline.
"We
have contacted browser-makers to ensure that known malicious extensions are no
longer available to download in their stores," said Facebook executive Guy
Rosen.
"We
have also contacted law enforcement and have worked with local authorities to
remove the website that displayed information from Facebook accounts."
Intimate
correspondence
The breach
first came to light in September, when a post from a user nicknamed FBSaler
appeared on an English-language internet forum.
"We
sell personal information of Facebook users. Our database includes 120 million
accounts," the user wrote.
Is Facebook's News Feed fading?
The
cyber-security company Digital Shadows examined the claim on behalf of the BBC
and confirmed that more than 81,000 of the profiles posted online as a sample
contained private messages.
Data from a
further 176,000 accounts was also made available, although some of the
information - including email addresses and phone numbers - could have been
scraped from members who had not hidden it.
The BBC
Russian Service contacted five Russian Facebook users whose private messages
had been uploaded and confirmed the posts were theirs.
One example
included photographs of a recent holiday, another was a chat about a recent
Depeche Mode concert, and a third included complaints about a son-in-law.
There was
also an intimate correspondence between two lovers.
One of the
websites where the data had been published appeared to have been set up in St
Petersburg.
Its IP
address has also been flagged by the Cybercrime Tracker service. It says the
address had been used to spread the LokiBot Trojan, which allows attackers to
gain access to user passwords.
Who should
be blamed?
Personal
shopping assistants, bookmarking applications and even mini-puzzle games are
all on offer from various browsers such as Chrome, Opera and Firefox as
third-party extensions.
The little
icons sit alongside your URL address bar patiently waiting for you to click on
them.
According to
Facebook, it was one such extension that quietly monitored victims' activity on
the platform and sent personal details and private conversations back to the
hackers.
Facebook has
not named the extensions it believes were involved but says the leak was not
its fault.
Independent
cyber-experts have told the BBC that if rogue extensions were indeed the cause,
the browsers' developers might share some responsibility for failing to vet the
programs, assuming they were distributed via their marketplaces.
But the hack
is still bad news for Facebook.
The
embattled network has had a terrible year for data security and questions will
be asked about whether it is proactive enough in responding to situations like
this that affect large numbers of people.
The BBC
Russian Service emailed the address listed alongside the hacked details, posing
as a buyer interested in buying two million accounts' details.
The
advertiser was asked whether the breached accounts were the same as those
involved in either the Cambridge Analytica scandal or the subsequent security
breach revealed in September.
A reply in
English came from someone calling themself John Smith.
He said that
the information had nothing to do with either data leak.
He claimed
that his hacking group could offer data from 120 million users, of whom 2.7
million were Russians.
But Digital
Shadows told the Media that this claim was doubtful because it was unlikely
Facebook would have missed such a large breach.
John Smith
did not explain why he had not advertised his services more widely.
And when
asked whether the leaks were linked to the Russian state or to the Internet
Research Agency - a group of hackers linked to the Kremlin - he replied:
"No."
Comments