New leakage of Facebook user data, including private messages

November 2, 2018
Security concerns with Facebook Marketplace?

Little more than a month has passed since the last major Facebook data breach, and now there is more unpleasant news for users of the social network. Using malicious browser extensions, cybercriminals are alleged to have harvested the data of tens of millions of people, including private messages.

What happened?

A BBC investigation reported that an online forum was offering to sell the personal data of 120 million Facebook users, at 10 cents per individual profile. To prove the value of the data, a small part of the database was made publicly available, consisting of data for 257,000 users, including the private messages of about a third (81,000) of them.

The claim that 120 million accounts are at risk of exposure cannot, of course, be confirmed or refuted without access to the full version of the database. However, according to the BBC journalists who checked the data, everything appears to suggest that the leaked portion of the archive is real.

Is this linked to the Facebook leak a month ago?

Apparently, the breaches are unrelated. The earlier incident involved the use of Facebook vulnerabilities for centralized, “wholesale” data theft. But in the latest case, data was harvested using malicious browser extensions that the victims had installed on their own computers. This is a different ball game altogether.

Malicious browser extensions? What’s that all about?

Extensions (also known as plug-ins or add-ons) are small programs that are installed “on top” of the browser, extending its functionality. Examples include toolbars that change the browser interface, ad blockers, and so forth. The problem with these extensions is that they can — and most of them do, as part of their regular operation — see all the content that browser is showing you (and change it too, for that matter).

This ability makes them highly adept at tracking the user’s online movements and collecting various data. The case at hand is about data harvested from Facebook pages. But in principle, any information can be stolen this way. Banking data, for example, is also far from immune. See the post “Why you should be careful with browser extensions” for more details.

It is not yet clear, and may never be, which extensions were used in the latest Facebook data breach. So, other data might have been stolen; we don’t know that yet.

At present, we can make two general recommendations based on this story:

  • Treat browser extensions seriously, and don’t install them indiscriminately. These days, pretty much all of our most valuable information is available on a handful of websites, and extensions have access to it.
  • Be more prudent when it comes to private correspondence online. It might be far less private than you think.