[BreachExchange] 267 Million Facebook identities available for 500 euros on the dark web

Destry Winant destry at riskbasedsecurity.com
Tue Apr 21 10:26:55 EDT 2020


Hackers are offering for sale over 267 million Facebook profiles for
£500 ($623) on dark web sites and hacker forums, the archive doesn’t
include passwords.

Early March, the security expert Bob Diachenko uncovered an
Elasticsearch cluster containing more than 267 million Facebook user
IDs, phone numbers, and names. The archive was left exposed online for
anyone to access without authentication.

According to Diachenko, the data is the result of an illegal scraping
activity by abusing Facebook API to collect the huge trove of data.

A few days later, a second server was exposed by what appears to be
the same criminal group from Vietnam. The data on this server is
identical to the first one, but they also include an additional 42
million records.

“The second server exposed in March 2020 contained the same 267
million records as the previous one, plus an additional 42 million
records. It was hosted on a US Elasticsearch server. 25 million of
those records contained similar information: Facebook IDs, phone
numbers, and usernames.” reads a post published by Comparitech who
helped the experts.

“16.8 million of the new records contained even more info, including
Facebook ID, Phone number, Profile details, Email addresses, and some
other personal details”

Most of the records belong to users from the United States, and
according to Diachenko all of them seem to be valid.

Now experts from Cyble discovered the sale on the dark web and
purchased the database to verify the data. Then the experts added the
records to their data breach notification service

“One of the threat actors have dropped an online bomb by dropping the
identities of 267 Million Facebook Users for 500 Euros — the details
CONNECTION, STATUS, AGE.” reads the post published by Cyble on Medium.

“Cyble researchers executed the sale and were able to download and
verify the data. The impacted users will be able to verify this on
Cyble’s data breach monitoring platform, AmIbreached.com shortly.“

Threat actors could use data included in the archive to launch
phishing campaigns or SMS phishing attacks against some users and
trick them into revealing their passwords.

Cyble recommends users to be vigilant on unsolicited emails and text messages.

More information about the BreachExchange mailing list