Saturday, July 13, 2024

Facebook Data Haul of 13 Million Records Exposed By Sloppy Hackers

Security researchers have uncovered a major Facebook scam exploiting hundreds of thousands of users, after the scammers left an Elasticsearch server unsecured.

Among the 5.5GB haul discovered by vpnMentor on September 21, was 150,000-200,000 Facebook usernames and passwords, and personal info including emails, names and phone numbers for hundreds of thousands who had fallen victim to a Bitcoin scam.

The two datasets are part of the same operation: the first group were tricked into handing over their account log-ins by a fake app promising to reveal who had recently visited their profile. With these log-ins, the scammers hijacked the victims’ accounts and posted comments on their Facebook posts, with links directing individuals to a Bitcoin fraud scheme.

In total, the exposed database contained 13.5 million records, also including domains used in the scheme and text outlines related to the Facebook comments the fraudsters would post.

Although the data came from a relatively short window, June-September 2020, there are fears the scheme may have originally been much bigger. At the time it was registered by Shodan, the database contained 11GB of data relating to the scheme, rather than 5.5GB, meaning many more victims may have been affected.

The database was then wiped by the Meow attack the day after vpnMentor discovered it. New data immediately started to appear again before those in charge finally secured the server.

With access to users’ Facebook accounts, the cyber-criminals behind this campaign have a highly monetizable resource for posting malicious links to scams, launching follow-on phishing or identity fraud attempts, blackmail and credential stuffing of other accounts, vpnMentor warned.

Recommended:  What is identity theft? and 5+ Ways to prevent it

“If you’re a Facebook user and think you’ve been a victim of this fraud, change your login credentials immediately. Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking,” the firm said.

“We recommend using a password generator to create unique, strong passwords for every private account you have, and changing them periodically. Never provide usernames and passwords for Facebook, email or financial accounts to external websites.”

Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates