Criminals sell 1.5 billion data from Facebook users on dark web

Image: Dan Kitwood/Staff (Getty Images)

Image: Dan Kitwood/Staff (Getty Images)

*With the collaboration of Luana Nunes

Amidst all the chaos caused by the instability that left Facebook, Instagram and WhatsApp off the air for more than five hours this Monday (4), — which yielded great memes on Twitter and made users resort to communication methods prehistoric times – the information emerged that data from 1.5 billion Facebook users was being sold in a forum on the dark web.

According to the information, released by the website Privacy Affairs, the data being sold reveals name, email, phone number, location, gender and user ID. Facebook has not yet commented on the case. If confirmed, it will be the biggest leak in the history of Facebook, which has 2.7 billion users worldwide.

A user of a well-known hacker forum posted an ad on September 22 claiming to have the personal data. He presented some samples of the data that are in his possession and that had the veracity confirmed by the Privacy Affairs.

“The data is currently for sale on the forum platform, with potential buyers having the opportunity to purchase all the data at once or in smaller quantities,” says the publication.

A potential buyer claimed to have received a quote of US$5,000 (almost R$27,300 at the current quote) for data from one million users. Some forum users claimed to have made payment to the data seller, but that they did not have access to the information.

The owner of the profile that sells the data says that he belongs to a group of web scrapers that has been operating for about 4 years and has had more than 18,000 customers during this time. O Privacy Affairs it cross-referenced the data with others from known Facebook leaks and found no relationship between them, which could mean it’s a completely unheard of data theft.

How, after all, did the data leak?

Apparently, the data was not the result of a hacker attack, but of scraping (a technique known as “data scraping”), when the collection of data from any page or website is done in an automated way. Scraping is commonly used to gather data already available on the web, which can mean that information has been “scraped” from public profiles.

Another popular but illegal method is data collection via fake Facebook surveys or questionnaires. For example, you’ve probably seen a quiz appear in your feed with the title: “Find out what character you are on that show” or “Take the quiz and find out when you’re getting married”. Malicious links of this type can also steal data.

The fact is that when the user accepts to do these “tests”, criminals gain access to all personal information on Facebook. Thus, it is possible to increase this database more and more.

“Various media and Twitter users misinterpret this as the result of a hack or data breach, which is not the case,” says the text.

The data sold is unrelated to the data leak of 533 million users that occurred in April this year, which affected Facebook users in 106 countries. At the time, the data was made available for free on forums frequented by hackers.

Facebook said the leak was caused by a vulnerability that was identified and fixed by the company in 2019. However, the tech giant warned that the data could still be used by criminals.

Not even the company’s founder was spared by cybercriminals. Dave Walker, an expert in digital security, posted an image on his Twitter profile that suggested that Mark Zuckerberg’s phone had also been leaked in the lawsuit that stole the data.

The report also said the information had nothing to do with yesterday’s global Facebook outage (4). The story was published 12 hours before the social media crash.