Crime ring stole thousands of Facebook passwords, accidentally exposed them online – CNET
Crime ring stole thousands of Facebook passwords, accidentally exposed them online – CNET
Exclusive: Researchers came across the trove of stolen user data in logs stored on a cloud server. It’s offline now. Laura Hautala Nov. 13, 2020 5:00 a.m. PT
Cybercriminals stole Facebook passwords and lured their victims’ friends to websites promoting a bitcoin scam. Then they exposed their whole operation on an unsecured database, researchers found. Graphic by Pixabay; illustration by CNET A crime operation appears to have tricked hundreds of thousands of Facebook users into handing over their account passwords. The fraudsters then exposed their own operation by making a basic security mistake: They forgot to lock down a cloud database storing the pilfered login credentials with a password of their own. That meant anyone with a web browser could view the information, which included further details on how they carried out the operation. The findings come from Israeli security researchers Noam Rotem and Ran Locar, who published their research Friday with security website vpnMentor. For more like this Subscribe to the newsletter, receive notifications and see related stories on CNET.
Rotem and Locar reported their findings to Facebook, and the database is no longer exposed. Facebook forced a reset of the passwords for affected accounts.
To steal the passwords, the scammers used websites posing as legitimate services offering to show Facebook users who had viewed their Facebook profiles. The websites sent them to faked Facebook login pages, where victims entered their account passwords, according to Rotem and Locar. It appears hundreds of thousands of users may’ve fallen for this trick, emphasizing how important it is to make sure you’re following legitimate links and downloading verified apps before trying to log in to any service.
Based on what they found in the exposed database, Rotem and Locar think the scammers were using Facebook accounts to post spam content using their victims’ Facebook profiles, luring their victims’ friends into a bitcoin scheme.
This incident marks just the latest example of an unprotected database containing sensitive information. Rotem and Locar run software that scans the internet for unsecured databases, and their efforts typically unearth consumer data left exposed by legitimate businesses with bad security practices. Other data found on exposed databases includes patient records from plastic surgery clinics around the world, the expected salaries of job seekers in several countries and the national ID numbers of moviegoers in Peru.
Sometimes, though, the data turns out to have been stolen in hacks or scraped off of social media profiles en masse , in violation of the platforms’ policies. Locar said he and Rotem initially wondered if the database belonged to Facebook. But, he added, “it became pretty obvious that it’s cybercrime.”
The websites offering data on who viewed the user’s Facebook profile didn’t deliver on their promise, but they did collect the Facebook login credentials. With that stolen access, the scammers then posed as their victims and posted about bitcoin-related services and news. The researchers estimate that hundreds of thousands of Facebook users clicked on links that led them to a fake bitcoin trading platform, where they were asked to pay deposits of around $300 to start trading the cryptocurrency. Keep your accounts safe
