A new report might make you think twice before installing that next Chrome extension. The private Facebook messages of at least 81,000 people have reportedly been stolen, probably due to an exploit in a browser extension, and compromised accounts are now apparently up for sale for just $0.10 apiece.
The BBC reports that a shady group had reached out to them attempting to sell Facebook data on what the hackers claim, dubiously, is 120 million accounts. This hack apparently has nothing to do with the most recent hack of Facebook data that was widely publicized in September. The hackers, who may be Russian since they reached out to the BBC Russian Service, appear to have the Facebook messages of at least 81,000 people, mostly of Russians and Ukrainians, but also from people in the U.S., UK, and Brazil, according to the BBC.
“Based on our investigation so far, we believe this information was obtained through malicious browser extensions installed off of Facebook,” Guy Rosen, VP of Product Management, told Gizmodo over email.
“We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related,” Rosen said. “We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”
“We encourage people to check the browser extensions they’ve installed and remove any that they don’t fully trust. As we continue to investigate, we will take action to secure people’s accounts as appropriate.”
Security firm Digital Shadows helped BBC analyze the data and came to the determination that the attackers used a browser exploit. But Rick Holland, Digital Shadows’ chief information security officer and Vice President of strategy, told Gizmodo that they still don’t know what browser extension or extensions might be responsible.
“Browsers like Chrome can be very secure, but browser extensions can introduce serious gaps in their armor. The addition of browser extensions increases what is otherwise a small attack surface. Malicious extensions can be used to intercept and manipulate the data passing through the browser,” Holland said.
“Sadly, malicious extensions do make it into official browser stores like the Chrome Web Store,” he continued, “and the management of browser extensions is a challenge for cybersecurity teams which makes matters that much worse.”
Why the huge difference between the hackers’ claimed 120 million accounts and perhaps just 81,000 accounts, according to Digital Shadows? Much of the information from the 120 million accounts may have just been scraped from publicly available Facebook accounts from people who haven’t set their privacy settings to anything very restrictive. But the stolen private messages sure look legit. The BBC contacted five Russian Facebook users and confirmed that the Facebook messages being offered for sale were real.
Many of the messages are relatively benign and include simple chats about going on vacation and attending concerts. But as you’d expect, there are also more sensitive discussions, including “intimate correspondence between two lovers,” as the BBC describes it.
So, this one doesn’t appear to be Facebook’s fault, but it’s still not great news for the scandal-plagued social network. Between the September data breach—which directly impacted some 29 million users—the ongoing rash of fake news and failed moderation efforts, and Facebook’s complicity in genocide, it’s no wonder that more and more people are deleting Facebook from their phones. But if you have any private messages on the service, you may want to consider deleting those as well. They could end up on some website being offered for pennies—assuming they haven’t been published already.
Update, 12:45pm: Added comment from Facebook’s Guy Rosen.