Private and personal information of over 1.5 billion Facebook users have allegedly been leaked online and been placed the same on sale on a dark-web forum in late September, according to a report by security research firm PrivacyAffairs. The hackers gave potential buyers the option to purchase in smaller quantities or buy all of the data in bulk. The price quoted for data of a million users was $5000, according to a user.
The data first appeared on the dark-web forum in late September and the thread advertising the leak disappeared on October 6, according to the researchers. “The forum poster and alleged seller however was not banned (usually what happens when scam allegations turn out to be true),” the security firm said in a blog post.
Some prospective buyers alleged on the forum that they were scammed by the seller, as no data was delivered, to which the criminals responded to cooperate with the forum admins to prove that the data collected is authentic.
“The forum seller has today responded and denied the scam accusations, continuing to claim that the data is real. The seller commented they are willing to cooperate with administrators of the forum to prove the authenticity of the data,” PrivacyAffairs posted on October 5. The researchers also clarified that the leak had no relation to the outage experienced by Facebook and its other platforms on October 4.
Data scrapers engage in web scraping, the processes of using bots to extract content and data from a website. Web scraping methods pull out data from underlying HTML code and databases. It is to be noted that scraping is not illegal per-se, but many search engines and social media sites use a range of tools to make scraping difficult, or to only allow scraping of certain public data. It is widely known that many websites accept cookies, which is also a form of scraping publicly available data.
The original advertisement contained data such as name, email addresses, phone numbers, location, gender and user IDs, obtained through web scraping. The collected data could be potentially utilised for phishing and used to take over user accounts.
The seller, whose name was not revealed, claims to represent a group of web scrapers who have been operating for more than four years, and have sold scraped data to over 18,000 clients.
As mentioned, the data obtained by scraping is not illegal, however, they are widely utilized by advertisers and marketers. In the wrong hands, it could be used to bombard specific individuals with unsolicited advertisements and could be used for more malicious purposes.