In the wake of the hack last week which left the data of at least 50 million users vulnerable, Facebook accounts are allegedly being sold on the dark web.
Facebook announced a significant data breach on September 27, noting that 50 million users had been targeted by the breach and an additional 40 million may have been affected. The Independent has since reported viewing users’ personal details for sale on dark web marketplaces.
Hackers were able to access the data – including access tokens, which would permit logging in without a password or two-factor authentication – by exploiting three separate bugs in Facebook’s login protocols. The exploits had been possible since July 2017.
The Irish Data Protection Commission (DPC), which is investigating the breach, criticised Facebook for what it believed to be a lax approach to the hack. It was alleged Facebook waited three days after discovering the hack to report it to the DPC and that their report, when it did arrive, was vague and “lacked detail”.
Accounts up for sale on Dream Market, a dark web marketplace, were priced between US$3 and US$12, to be paid in cryptocurrency. The personal information that can be gathered from a stolen Facebook account could allow the buyer to carry out cyber attacks, steal identities, hold data to ransom and extort information.
Access tokens could also be implemented where users have enabled Facebook login to third-party apps, such as Spotify or Yahoo; and users’ data could be sold to third-party marketing firms to enable them to create intrusive, targeted advertising campaigns.
Facebook remains unsure whether its users’ data has actually been breached, but has implemented a system among its developers to check for third-party access token use.
If it is found that Facebook did not adequately protect its users’ data, the company could be fined up to US$1.63 billion under General Data Protection Regulation. CEO Mark Zuckerberg told reporters the company was taking its security issues “really seriously”.