Over 1.5 billion Facebook users’ private and personal information is allegedly being sold on a popular hacking-related forum, potentially allowing cybercriminals and unscrupulous advertisers to target Internet users worldwide. This could be one of the largest and most important Facebook data dumps to date if this is true.
In late September 2021, a user of a well-known hacker forum announced that he possessed the personal information of over 1.5 billion Facebook users. The data is currently available for purchase on the respective forum platform, with potential buyers can purchase all of the data at once or in smaller quantities.
One prospective buyer claims to have received a $5,000 quote for the data of 1 million Facebook user accounts.
The data provided contains Facebook users personal information such as Name, Email, Location, Gender, Phone number, and User ID.
Samples presented on the forum show that the data appears to be genuine. Cross-referencing them with known Facebook database leaks yielded no matches, implying that the sample data provided is distinct and not a duplicate or re-sale of a previously known data breach or scraping.
The seller claims to represent a group of web scrapers who have been in business for at least four years and have had over 18,000 clients during that time.
Data Obtained Through Scraping
The traders claim to have obtained the data through scraping instead of hacking or compromising individual users’ accounts. Scraping is a web data extraction or harvesting process that involves accessing and organizing publicly available data into lists and databases.
While technically no accounts have been compromised, this is little consolation for those whose information may now end up in the hands of unscrupulous internet marketers and, more than likely, cybercriminals. Unethical marketers may use this information to target specific individuals or groups of people with unsolicited advertising.
Including phone numbers, physical addresses, and users’ full names in the data are especially concerning. Furthermore, even though most countries made these practices illegal many years ago, SMS and Push notification spam are becoming increasingly common.
Data can be used to jeopardize the security of users.
Hackers, for example, can use scraped data to launch sophisticated phishing or social engineering attacks. To identify individual users’ phone numbers, cybercriminals can send fake SMS messages to affected users posing as various entities such as Facebook itself or even banks. Users will then be prompted to click on a link to claim a prize, update their security settings, change their passwords, or perform another action.
When they click on the link, they will be redirected to a cloned version of the website that the perpetrators claim to represent. The cybercriminals will then hijack the affected account if the user enters their actual current password. This is how Facebook accounts and even online banking logins are sold for as little as $10 on the dark web.
How is Facebook Data Scraped?
Scraping is the process of collecting publicly available and accessible data online using computer programs. The vast majority of this information is obtained by simply scraping Facebook profiles that have been set to Public by their owners. Unfortunately, the vast majority of personal information on Facebook is freely shared and made available to the general public. Fake Facebook surveys or quizzes are another popular but illegal method of data scraping.
Every Facebook user has seen posts like finding out your Game of Thrones look-alike with this survey or take this quiz to find out when you will get married, among other things. Typically, these are schemes to obtain personal information from users.
When someone participates in one of these surveys or quizzes, they give the creators of these games permission to view their personal Facebook information such as full name, email, phone number, location, gender, and more.
Users of Facebook are advised to improve their security.
It is generally not advised for Facebook users to make their accounts fully public. Similarly, one should never participate in random Facebook quizzes, surveys, or games unless offered by a known and verified publisher. Unfortunately, these are almost always schemes for data mining and scrapping.
