Facebook data from millions of users could be up for sale.
Facebook data from millions of users could be up for sale.

Stolen Facebook logins for sale

STOLEN Facebook login details are being fleeced on the dark web for just $3.90, sparking fresh privacy fears after the website was hit by a huge cyber attack last week that reached even Facebook boss Mark Zuckerberg and COO Sheryl Sandberg.

Ads offering Facebook customers' account details for sale can be easily found on the dark web - a hard-to-access corner of the internet used by criminals to buy drugs, stolen personal details and fake documents.

A report by UK firm Money Guru found that online identities are often stolen and sold to companies who engage in targeted advertising.

"There are few better ways to gain insight into someone's life than their social media accounts," the report found.

"These details are frequently stolen to sell to companies with little scruples about targeted advertising.

"It's also a fast track to identity theft as they can take control of your accounts, lock you out and cause serious reputational damage in a short space of time."

After purchasing your login details, a criminal could access your social media accounts and find out private information such as when a user is away on holiday, where their children go to school and even their bank details if these have been shared in messages.

It can take just 10 minutes for a fraudster with the right software to access dark web sites that claim to sell the log-in details, an investigation found.

Money Guru's James MacDonald said the findings clearly demonstrated "how vital it is to protect your data where possible to avoid facing costly consequences".

Facebook users have been unhappy with the company’s approach to hacks lately.
Facebook users have been unhappy with the company’s approach to hacks lately.

LATEST ATTACK

The shocking report comes as Facebook is in the grips of a major identity theft crisis in which criminals exploited a bug giving them access to 50 million user accounts.

The latest attack hasn't just impacted the social network, but many other sites as well.

On Friday evening, Facebook revealed that hackers had gained access to 50 million accounts.

This let them use your Facebook account "as if they were the account holder" - a shocking security gaffe.

A problem in Facebook’s code allowed outsiders to steal access tokens, the digital keys that keep people logged in to Facebook. Picture: Jeff Chiu/AP
A problem in Facebook’s code allowed outsiders to steal access tokens, the digital keys that keep people logged in to Facebook. Picture: Jeff Chiu/AP

But because of the way the hack worked, it also gave attackers the same level of access to any additional social media accounts you use Facebook to log in with.

So if you tied your Facebook to Messenger, Instagram, Spotify, Tinder or Airbnb, the hackers will have been able to slip into those accounts too, accessing your profile information, photos, private messages and more.

Hack timeline: How did we get here and when did it all happen?
Hack timeline: How did we get here and when did it all happen?

It's all thanks to a major screw-up in Facebook's website code.

When you log in to websites like Facebook, you are given an access token.

Access codes are like digital keys that remind the website, and other linked services, that you're logged in.

That's why when you close the Facebook tab and open it up again later, you're still logged in.

But last June, Facebook added a new video upload tool which introduced a major bug.

The bug allowed hackers to generate access tokens for absolutely anyone on the website.

Unsurprisingly, hackers used this bug to create access tokens for 50 million users across the site.

If you used Facebook to log in to any other social media accounts like Instagram, those platforms could be at risk too. Picture: Carl Court
If you used Facebook to log in to any other social media accounts like Instagram, those platforms could be at risk too. Picture: Carl Court

Importantly, if you log in to other services with Facebook, this access token would treat you as being logged in to those services too.

So it didn't matter how strong your password was, or whether two-factor authentication meant you need to receive a text or email code to log in.

The hack allowed attackers to convince these websites that they were already logged in - accessing your account under the radar.

Hackers were also given complete access (as if they were you, effectively), and so could have accessed any part of your accounts.

The only way to actually avoid being caught up in this hack was to (1) not have a Facebook account, or (2) get lucky, and not be targeted by the hackers.

"Because this issue impacted access tokens, it's worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications," Synopsys senior technical analyst Tim Mackey said.

"If you've ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their app settings to see which applications and games they've granted access rights to within Facebook."

How did the Facebook breach happen?
How did the Facebook breach happen?

WHAT IT MEANS

The big fear is that hackers will have used automatic tools to harvest information from all 50 million accounts that were compromised.

This means it's possible hackers are currently sitting on photos, videos and private messages for tens of millions of people around the world.

This data pool grows significantly when you add services like Tinder or Instagram into the mix.

And even if you weren't hacked yourself, messages you sent to people who were hacked may still be compromised.

This significantly increases the risk of identity fraud, blackmail - even lost relationships.

If you've ever sent racy photos, made mean comments or moaned about an employer on your Facebook - or in private messages - hackers may be ready and waiting to release this information right now.

Or if you've ever given out personal details such as your address and phone number, for example, in a private message when selling items on Facebook Marketplace, that information may be in the hackers' hands.

 

Facebook has said hackers exploited its ‘View As’ feature, which lets people see what profiles look like to someone else. The company has taken steps to fix the security problem and alerted police. Picture: Marcio Jose Sanchez
Facebook has said hackers exploited its ‘View As’ feature, which lets people see what profiles look like to someone else. The company has taken steps to fix the security problem and alerted police. Picture: Marcio Jose Sanchez

Hackers could also use the information they stole to defraud you, potentially gaining access to your bank accounts or other important services.

"Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over," Sam Curry, chief security officer at Cybereason, said.

"Today, consumers are reminded again to watch their identities and credit for abuse.

"As an industry until we can start making cyber crime unprofitable for adversaries, they will continue to hold the cards that will yield potentially massive payouts."

If you were hacked, you'll have been logged out and received a notification.

To guard your information in the future, follow our guide here.

And it might disappoint you to find out Facebook faces a maximum fine of just $2.25 billion - less than 3 per cent of billionaire CEO Mark Zuckerberg's net worth.

A Spotify spokesman told The Sun that although Facebook's systems allowed access to Spotify accounts, Spotify's own systems weren't directly breached.

"Spotify has not experienced a security breach," he said.

"However we recognise that many users repurpose login information across various platforms. As a precaution, anyone with concerns can update their Spotify password, or contact customer service who can assist."

This story originally appeared in The Sun and has been republished here with permission.