Up to 120 million private Facebook messages were being sold online by hackers this fall, according to a report from the BBC. The breach was first discovered in September and the messages were obtained through unnamed rogue browser extensions which monitored users by mining their information while browsing through the social media website.
Although Facebook is claiming that its systems were not breached as part of the hack, affected users were primarily based in Ukraine and Russia. Some users from the United States were also reportedly impacted after a hacker on an online forum attempted to sell the Facebook information at a rate of 10 cents per account.
“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores. …We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts,” Facebook executive Guy Rosen told the BBC.
Sample data from 81,000 Facebook profiles was also posted online by hackers in order to gain interest in possible sales. The group behind the hack originally told the BBC that data from 120 million Facebook accounts were up for purchase, but cybersecurity experts have been skeptical of that figure.
Still, BBC spoke to impacted users who revealed their information was indeed stolen and also listed on the forum. Data from those accounts included photos from a vacation, a chat about a Depeche Mode concert, and even an “intimate correspondence between two lovers.”
This is not the first time that Facebook has faced a hack. In September, the social media platform announced that up to 50 million accounts were compromised due to a flaw in access tokens and the “View As” feature.
As this latest hack involves the use of browser extensions, it is always best to check which source an extension is coming from, and which permissions it is being granted access to. That is a small step to take, but Google has been larger steps to ensure extensions are safer. In Chrome 70, consumers can restrict host access (website access) by clicking on an extension and selecting an option from the drop-down menu.