Facebook is reportedly suggesting that malicious browser extensions may be behind yet another data breach affecting users of the social media platform – this one involving at least 257,256 stolen profiles, including 81,208 that included private messages.
Journalists from the BBC, aided by researchers from Digital Shadows, began investigating the matter last September after seeing the accounts advertised on BlackHat SEO, an English-speaking internet forum. The seller, who went by the name "FBSaler," offered to sell details from as many as 120 million Facebook accounts, while posting the 257,000+ profiles as a sample. (The researchers have expressed doubt that the perpetrator truly possesses 120 million accounts, and the original post has since been removed.)
A 2 November Digital Shadows blog and BBC article confirmed that the posted dataset contains user names, addresses contact numbers, user interests and, in some cases, friends, groups and private messages. A large contingent of victims – 30 percent – are based in Ukraine, while nine percent reside in Russia. But users in the US, the UK and Brazil were also notably affected.
According to BBC and the researchers, Facebook is blaming the incident on malicious browser extensions, thus denying fault on its part. The company, however, reportedly did not name the specific extensions, and Digital Shadows said Facebook has "still not been definitive about this," and "the method used to obtain the accounts remains unconfirmed."
Guy Rosen, VP of product management at Facebook, shared the same theory with SC Media. "Based on our investigation so far, we believe this information was obtained through malicious browser extensions installed off of Facebook," said Rosen. "We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related. We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts. We encourage people to check the browser extensions they’ve installed and remove any that they don’t fully trust. As we continue to investigate, we will take action to secure people’s accounts as appropriate."
"Regardless of attribution, motives and the method of collection, the exposure of private messages where people share information they would not usually post publicly on their Facebook feeds is a potentially worrying development," wrote Digital Shadows Senior Strategy and Research Analyst Rafael Amado. "Sensitive information may be used for extortion of identity fraud, while it’s not unheard of for individuals to share financial information such as banking details over private messages."
Digital Shadows also noted that one of the websites where the data was published was apparently set up in St. Petersburg and its IP addresses has been used before to spread LokiBot password-stealing malware.
Facebook is already beleaguered by a series of data breach and privacy controversies, including the Cambridge Analytica scandal and a September 2018 data breach in which hackers leveraged a trio of vulnerabilities to steal roughly 30 million user access tokens.
This article was first published on SC Media US.