Security researchers have uncovered a major Facebook scam exploiting hundreds of thousands of users, after the scammers left an Elasticsearch server unsecured.
Among the 5.5GB haul discovered by vpnMentor on September 21, was 150,000-200,000 Facebook usernames and passwords, and personal info including emails, names and phone numbers for hundreds of thousands who had fallen victim to a Bitcoin scam.
The two datasets are part of the same operation: the first group were tricked into handing over their account log-ins by a fake app promising to reveal who had recently visited their profile. With these log-ins, the scammers hijacked the victims’ accounts and posted comments on their Facebook posts, with links directing individuals to a Bitcoin fraud scheme.
In total, the exposed database contained 13.5 million records, also including domains used in the scheme and text outlines related to the Facebook comments the fraudsters would post.
Although the data came from a relatively short window, June-September 2020, there are fears the scheme may have originally been much bigger. At the time it was registered by Shodan, the database contained 11GB of data relating to the scheme, rather than 5.5GB, meaning many more victims may have been affected.
The database was then wiped by the Meow attack the day after vpnMentor discovered it. New data immediately started to appear again before those in charge finally secured the server.
With access to users’ Facebook accounts, the cyber-criminals behind this campaign have a highly monetizable resource for posting malicious links to scams, launching follow-on phishing or identity fraud attempts, blackmail and credential stuffing of other accounts, vpnMentor warned.
“If you’re a Facebook user and think you’ve been a victim of this fraud, change your login credentials immediately. Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking,” the firm said.
“We recommend using a password generator to create unique, strong passwords for every private account you have, and changing them periodically. Never provide usernames and passwords for Facebook, email or financial accounts to external websites.”