Over 1.5 billion Facebook users' personal data found for sale on hacker forum

Unrelated to other recent problems Facebook has had, this particular batch of data was scraped from profiles, meaning it's publicly available knowledge. That doesn't stop it from being dangerous.

shutterstock-1152141662.jpg

Image: Shutterstock/Ink Drop

It's been a bad few days for Facebook. An outage affected all of its sites (and Oculus products), testimony from a whistleblower this week could put the company back in the legal hotseat, and now it's come out that private and personal data from more than 1.5 billion Facebook users was found for sale on a hacker forum.

Reported by privacy research company Privacy Affairs, the data found for sale doesn't indicate that the seller actually broke into Facebook's systems, nor that its data tied to any other data breach. Instead, Privacy Affairs said that the data was allegedly obtained by scraping publicly available data shared by Facebook users. 

SEE: Security incident response policy (TechRepublic Premium)

The fact that the data stolen and for sale is publicly available shouldn't ease anyone's fears: That data can still be used to compromise users' security and privacy. In particular, the stolen data contains names, email addresses, locations, gender, phone numbers and Facebook User ID information. Each bit of that data could clue an attacker into password challenge answers, allow them to intercept one-time login codes, phish, send scam text messages and more. 

There have been some questions as to the legitimacy of both the seller and the data, with one prospective buyer saying they paid the user but never received any data. The seller denied the accusations, but as of October 6 the post has been taken down, with a Facebook spokesperson saying the company sent a takedown request. 

While the potential for this particular set of data to be exploited may have lessened thanks to its removal from this particular forum, it's unknown if it could end up posted elsewhere or how many buyers may have already purchased some of it. There are a total of nearly three billion people on Facebook, which means that data pertaining to up to half of them could be in the hands of bad actors. 

Privacy Affairs said the data they examined from samples provided on the forums appears to be legitimate. The seller claims their group has been in operation for at least the past four years and has served more than 18,000 clients in that time. Cross-checking the data against known Facebook leaks didn't bring up any matches, which Privacy Affairs said could indicate that this is all new, but legitimate, data. 

The data exposed in this leak, if authentic, "may constitute one of the biggest and most significant Facebook data dumps to date," Privacy Affairs founder and CEO Miklos Zoltan said. 

Scraping: A dangerously simple way to compromise privacy

Every bit of publicly available data can be "scraped" by a bot and stored in a database, spreadsheet or other kind of file. That's not the only tool attackers use, though: They also use Facebook quizzes like "Which character from X show are you?" in order to harvest data. 

"Every time someone enters one of these surveys or quizzes, they permit the creators of these games to view their personal Facebook information such as full name, email, phone number, location, gender and more," said Zoltan. 

Because scraping only requires data to be available, Facebook users should ensure they never set their profiles to public. It's also a good idea to go through a Facebook privacy checkup to be sure there's no errant bits of data sneaking out from places you thought were secure. 

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

In addition, never take Facebook quizzes or grant Facebook apps permission to access your personal information. Only use surveys, games and quizzes from known trustworthy sources. 

If your data was already scraped it may be too late, but you can lock your account down now to prevent future information from being stolen. 

Also see