According to the BBC Russian Service investigation, samples of the data were discovered in September being hawked for 10 cents per account on an English-language forum with Russian connections.
Most of the breached accounts were from Russia and Ukraine, but Facebook users in the UK, Brazil and other countries are also among the victims, the BBC said after verifying the find with UK cybersecurity company Digital Shadows.
Criminals offered another 176,000 accounts although it’s possible that some of the email address and phone number data in this cache could simply have been scraped from public profiles.
Stolen data from the 81,000 accounts that appeared to be genuine included intimate exchanges between Facebook users. One example, according to the BBC,
included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.
When the BBC posed as a buyer, the seller claimed he could supply access to a further 120 million accounts, which Digital Shadows believes is probably untrue because it implies a huge data breach Facebook would have noticed.
This is a big problem for investigators: working out what’s been stolen or breached can be difficult when cybercriminals make exaggerated or false claims about what they have in their possession.
Are rogue browser plug-ins to blame?
Where did the data stolen from the 81,000 accounts come from?
The BBC story suggests the most likely culprits are rogue desktop browser plug-ins or extensions, but doesn’t offer any conclusive evidence.
Given the cache’s relatively small size and concentration on Russian accounts, this seems plausible.
Malicious desktop extensions, used by criminals not only to steal data but push adware pop-ups and bogus tech support scams, are a problem stretching back years.
Chrome’s popularity makes it the choice target, but Firefox and other browsers are also in the firing line.
Facebook told the BBC it knew of a rogue extension designed to steal data from its users, although it refused to name names.
In other cases, extensions can be a gray area, for example the case of a Chrome marketing extension discovered earlier this year by Facebook to be exploiting a loophole to discover the names of people in ‘closed’ groups.
Browser makers – stand up Google – are trying to get on top of this issue but reports of newly-discovered rogue extensions keep cropping up.
It’d be easy to say “don’t install suspect or unknown extensions”, but life isn’t that simple.
An extension can be innocuous when you first download it but turn bad at a later date. Because extensions update automatically, this change can be incredibly difficult to spot.
The soundest advice is to download as few as possible, pick on known publishers, and disable them when not in use. Always download by visiting the browser maker’s repository and not by following web links.
John E Dunn