According to a report by Cyble on Medium, someone has dropped an “online bomb” containing 267 million records belonging to Facebook users. The dump is offered for purchase at the cost of $540, which is the equivalent of buying more than half a million account details for a dollar. Each record includes a Facebook username, the matching email address, the Facebook user ID, account status, age, phone number, and the time of the last connection. Cyble bought the dump immediately and was able to verify that the data was indeed real, valid, and relatively recent.
Facebook hasn’t announced any data breaches lately, and from the size of the dump, it looks like someone has managed to carry out a successful API scrapping operation. Potentially, this could be a security blunder attributed to a third-party app, and not Facebook itself. Whatever the case, the only thing that matters is that about 267 million Facebook users have had their sensitive data exposed, and hundreds - if not thousands - are already flocking to buy the relatively inexpensive pack. Their purpose would be to send phishing and scamming emails, SMS, or chat with their targets directly on Messenger. Moreover, having the email address and the matching phone number would enable SIM swap actors to do their thing.
Cyble is monitoring the vast space of the dark web, keeping an eye on the latest offerings that are published on the largest marketplaces, at least. This way, they were able to spot a massive listing of 500,000 Zoom accounts last week, and now they are back again to warn us about a much more extensive incident. The firm has also set up a search engine similar to “haveibeenpwned,” where registered users may enter their email accounts and check if there are any matching records on the dark web. The latest batch of 267 million Facebook accounts has already been indexed in the monitoring platform, so you may go ahead and check for yourself right now.
If you find that you have been exposed, be very vigilant with incoming SMS or email messages. If you suspect that someone is trying to phish or scam you, don’t hesitate to report it to the local authorities. If you’re using Facebook, try to limit the number of extra apps or online platforms where you connect with your social media account. This would reduce the chances of having your data scrapped when there are API vulnerabilities.