Data from 120M hacked Facebook accounts for sale in Russia

Yet another 5% of Facebook’s data leaks? The BBC Russian service reports 120,000,000 users’ private messages and other details for sale at 10¢ per user.

But Facebook denies blame: It was a malicious browser extension, y’see. But no, it's not going to tell us which one.

Why so serious, Mister Zuckerberg? In this week’s Security Blogwatch, we flog many dead horses.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Soviet synthpop 

State of Security Operations 2018: Go Inside World SOCs

In Russia, data sell you

What’s the craic? Andrei Zakharov Тетенька в has hacked Facebook accounts for sale:

The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical. … The hackers offered to sell access for 10 cents … per account. However, their advert has since been taken offline.

The breach first came to light … when a post from a user nicknamed FBSaler appeared on an English-language internet forum. [We] contacted five Russian Facebook users whose private messages had been uploaded and confirmed the [conversations] were theirs. One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law. … There was also an intimate correspondence between two lovers.

According to Facebook, it was [a browser] extension that quietly monitored victims' activity on the platform and sent personal details and private conversations back to the hackers. [It] says the leak was not its fault.

Oh, the humanity. Hello, Louise Matsakis—Someone posted private Facebook messages:

Facebook has experienced a number of security-related issues lately, including a breach disclosed in September that compromised at least 30 million accounts. But that incident doesn’t explain why tens of thousands of private Facebook messages reportedly ended up for sale on an internet forum the same month.

The good news is that it doesn’t appear Facebook’s platform was compromised. [But] it’s not good that Facebook failed to notice that an extension was sucking up user data.

This incident is a good reminder that free extensions … may be tempting, but they can sometimes come with a malware surprise. … Last year, Google caught three malicious extensions masquerading as AdBlock Plus, one of which had been downloaded tens of thousands of times before it was removed.

What else do I need to know? Rafael Amado offers Things to Know:

[We] assisted the BBC with its investigation, which included verifying the dataset in question. [It] contains 257,256 profiles, of which 81,208 have private messages included. … Profile information such as names, addresses, contact numbers, and interests were included, along with friends, groups and private messages in some cases. … Roughly 30 percent of the profiles in the 257,256 dataset are Ukraine-based. … Users in the United States … are also represented.

The sellers claimed to have access to 120 million accounts. [We] cannot confirm whether the seller genuinely has access to the 120 million accounts that they claim. … It would be unlikely that the compromise of … over 5% of Facebook’s entire active userbase would go unnoticed by Facebook.

Though Facebook believe malicious browser extensions could have been used, Facebook have still not been definitive about this. … Account takeovers achieved through credential harvesters, for example, are also a possibility.

Want more? Davey Winder winds up the rhetoric: [You’re fired—Ed.]

It's important to point out that currently there is no evidence to support the claims made by the hackers … that 120 million account profiles have actually been stolen. [But] at least some … appear to be genuine.

[Others] could possibly have been scraped from public profiles rather than stolen by the hackers. This kind of 'padding out' of compromised account databases is far from uncommon as the bigger the database the higher the price it commands.

Without wishing to start victim-shaming [it’s] yet another example of Facebook users opening the door to threat actors by being unable to resist the temptation of some stupid add-on. … Of course, the blame doesn't lay with those users. … The blame is always firmly [on] the shoulders of the threat actors themselves, with the browser platforms … also having to mop up some of that guilt.

Nah, let’s blame them. It’s fun! Or so says Boundegar:

Anybody who installs a personal shopping assistant deserves exactly what they get. I don’t give a damn if it’s victim-blaming. Some victims deserve blame.

But which extension should I be looking for? I dunno, and neither does docosc:

So, “We think we know which extensions are doing this, but we are not going to tell you.” And [Facebook] still can claim, with a straight face, “this is not our fault.”

I am so glad i do not have FB. To say they engage in jungle rules is an insult to jungles.

But is there a hidden reason why Facebook is so adamant it’s not down to them this time? Alfred Ng writes—Senator's data privacy law draft:

Sen. Ron Wyden, a Democrat from Oregon … who has been at the forefront of cybersecurity and privacy issues in the Senate, introduced a draft data privacy bill … with harsh penalties for companies that violate your privacy. … "Individual Americans know far too little about how their data is collected, how it's used and how it's shared" … Wyden said in a statement.

The draft recommends boosting the ability of the Federal Trade Commission to take action on privacy violations. … The FTC would … be able to issue fines up to 4 percent of the company's annual revenue.

A push for a federal data privacy law has been brewing on Capitol Hill over the last year, fueled by privacy issues like Facebook's problems with Cambridge Analytica. … Silicon Valley has taken notice.

O RLY? Pravin Kothari agrees:

Recent events like the Equifax data breach, Cambridge Analytica, Facebook and more have fueled the fire and will enable these to gather substantial support on both sides of the aisle as cybersecurity and data privacy issues remain front and center to everyone’s constituent needs.

The cognoscenti on Capitol Hill will tell you that these bills will likely be rolled up as one, most likely before they leave the Senate. Legislation is likely to be omnibus and then will replace the myriad of conflicting state efforts to provide similar legislation.

Meanwhile, FGD135 translates Facebook’s excuse:

“The dog ate my homework.”

The moral of the story?

  • For IT: Consider forbidding browser extensions on enterprise desktops, except for whitelisted code.
  • For SecOps: Use analytics to identify programmatic access by extensions.

And finally (speaking of Russia) …

Here’s some rockin’ Soviet synthpop from 30 years ago


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: DonkeyHotey (cc:by)

Topics: Security