Facebook Blames Malicious Extensions in Breach of 81K Private Messages

Investigators posed as buyers and were offered the messages at 10 cents per Facebook account.

Hackers have published what they claim are private messages from at least 81,000 Facebook accounts – and they say the trove contains a fraction of the details they have from a larger cadre of 120 million accounts.

In an English-language Dark Web advertisement (now taken down), the perpetrators offered the messages for 10 cents per account.

The BBC Russian Service investigated the supposed heist along with cybersecurity firm Digital Shadows. The team found that within the 81,000 Facebook users in the sample posting, those in the Ukraine and Russia are the main targets (although some others were also impacted, including in the U.K., U.S. and Brazil).

The BBC found evidence that the leaked portion of the archive is real. They contacted five Russian Facebook users included in the sample to ask them if the messages that were posted in the sample (covering things like vacation photos, a chat about a Depeche Mode concert and inter-family squabbling) were indeed their own; all five confirmed that they were.

The investigators also posed as a potential buyer and contacted the seller, who responded using the alias “John Smith”. Upon questioning, Smith said that the data wasn’t related to the Cambridge Analytica scandal nor the data breach revealed in September enabled via its “View As” feature.

Digital Shadows also traced the advertisement to an IP address in Saint Petersburg that the firm said has been used to spread the LokiBot password-stealing trojan in the past. However, Smith told the investigators that the data theft was not affiliated with Russian state actors.

Facebook for its part said that no hack or data breach has happened and that the messages were probably purloined via malicious browser extensions (it didn’t specify which ones). However, it did announce that it’s scrutinizing account security in the wake of the news, and, “we have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” according to Facebook executive Guy Rosen, speaking to the BBC.

He added, “We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”

Extensions are small programs that change the browser interface, add widgets, implement ad-blocking, provide background wallpaper and so on. The practice of cybercriminals abusing them goes back for years.

“The problem with these extensions is that they can — and most of them do, as part of their regular operation — see all the content that browser is showing you (and change it too, for that matter),” according to a Kaspersky Lab analysis. “This ability makes them highly adept at tracking the user’s online movements and collecting various data. The case at hand is about data harvested from Facebook pages. But in principle, any information can be stolen this way. Banking data, for example, is also far from immune.”

Even if the incident does not arise from any oversight by Facebook, the social-media giant is still feeling the fallout. On Twitter, users were quick to call this a par-for-the-course occurrence. Users made comments like, “WTF is up with Facebook?” and posted a variety of memes.

The #DeleteFacebook movement got a boost from the news, too. Lobo de Playa for instance tweeted under the hashtag, “You tell Facebook where you live, where you’re from, where you work, how much $ you make, where you shop, where you vacation, how many kids you have, their ages, birthdays & schools, and everywhere you go every hour of every day. What could possibly go wrong?”


Suggested articles