Back On September 28, Facebook announced that as many as 90 million users may have had their “access tokens”, which keep people logged into their account, stolen by hackers. The number was subsequently reduced to 30 million accounts whose phone numbers and email addresses were accessed in the largest security breach in the company’s history.
Of the 30 million exposed, 14 million users had much more data harvested, including; “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches,” according to the company.
It now appears that their private messages were also compromised.
According to the BBC, hackers appear to have compromised and published private messages from at least 81,000 Facebook users’ accounts. The unknown perpetrators also told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell.
Meanwhile, Facebook said its security had not been compromised noting that the data had probably been obtained through malicious browser extensions.
Despite denying it had been breached, Facebook said it had taken steps to prevent further accounts being affected even though just over a month ago it admitted a massive hack had broken through its security tokens.
Meanwhile, the BBC said that while many of the users whose details were compromised are based in Ukraine and Russia, some are from the UK, US, Brazil and elsewhere.
“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.
“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”
The breach was first noted in September, when a post from a user nicknamed FBSaler appeared on an English-language internet forum: “We sell personal information of Facebook users. Our database includes 120 million accounts,” the hacker wrote.
The claim was examined by cyber-security company Digital Shadows which confirmed that more than 81,000 of the profiles posted online as a sample contained private messages. Data from a further 176,000 accounts was also made available, although some of the information – including email addresses and phone numbers – could have been scraped from members who had not hidden it.
The BBC Russian Service then contacted five Russian Facebook users whose private messages had been uploaded who confirmed the posts were theirs. One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.
BBC notes that one of the websites where the data had been published appeared to have been set up in St Petersburg. Its IP address according to Cybercrime Tracker appears to have also been used to spread the LokiBot Trojan: it allows attackers to gain access to user passwords.
According to Facebook, the culprit behind the breach was from an extension that had been linked to a user’s platform and quietly monitored victims’ activity and sent personal details and private conversations back to the hackers.
While Facebook has not named the extensions it believes were involved but says the leak was not its fault. Cyber-experts told the BBC that if rogue extensions were indeed the cause, the browsers’ developers might share some responsibility for failing to vet the programs, assuming they were distributed via their marketplaces. But the hack is still bad news for Facebook, which has had a terrible year for data security and questions will be asked about whether it is proactive enough in responding to situations like this that affect large numbers of people.
Separately, BBC emailed the address listed alongside the hacked details, posing as a buyer interested in buying two million accounts’ details. The advertiser was asked whether the breached accounts were the same as those involved in either the Cambridge Analytica scandal or the subsequent security breach revealed in September.
A reply in English came from someone called John Smith. He said while the information had nothing to do with either data leak, his hacking group could offer data from 120 million users, of whom 2.7 million were Russians. However, Digital Shadows has told the BBC that this claim was doubtful because it was unlikely Facebook would have missed such a large breach.
“John Smith” did not explain why he had not advertised his services more widely. When asked whether the leaks were linked to the Russian state or to the Internet Research Agency – a group of hackers linked to the Kremlin – he replied: “No.”
Of course, if indeed 120 million user accounts were breached, and their information soon floods the world, it will be up to Zuckerberg to explain why he has so far failed to address this critical issue.