Hackers claim to have accessed a total of 120 million Facebook accounts and are looking to sell the personal data booty from the hack.
The perpetrators told BBC Russian Service of this but preliminary investigations believe the number has been grossly exaggerated, putting the hacked accounts at 81,000 at least.
Facebook has said its security had not been compromised.
And the data had probably been obtained through malicious browser extensions.
Facebook added it had taken steps to prevent further accounts being affected.
Many of the accounts affected are based in Ukraine and Russia with some in the UK, US, Brazil and elsewhere.
The hackers offered to sell access for 10 cents (8p) per account. However, their advert has since been taken offline.
‘We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,’ said Facebook executive Guy Rosen.
‘We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.’
Private messages for sale
The breach was discovered first in September when a post from an account with a username ‘FBsaler’ first came up in an English-language internet forum
‘We sell personal information of Facebook users. Our database includes 120 million accounts,’ the user wrote.
The cyber-security company Digital Shadows examined the claim and confirmed that more than 81,000 of the profiles posted online as a sample contained private messages.
Data from a further 176,000 accounts were also made available, although some of the information – including email addresses and phone numbers – could have been scraped from members who had not hidden it.
The BBC Russian Service contacted five Russian Facebook users whose private messages had been uploaded and confirmed the posts were theirs.
One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.
One of the websites where the data had been published appeared to have been set up in St Petersburg.
Its IP address has also been flagged by the Cybercrime Tracker service. It says the address had been used to spread the LokiBot Trojan, which allows attackers to gain access to user passwords.
Apps that operate as third-party extensions such as personal shopping assistants, bookmarking applications, even mini-puzzle games that run on popular browsers like Chrome, Opera and Firefox are the biggest culprits.
The little icons sit alongside your URL address bar patiently waiting for you to click on them.
According to Facebook, it was one such extension that quietly monitored victims’ activity on the platform and sent personal details and private conversations back to the hackers.
Facebook has not named the extensions it believes were involved but says the leak was not its fault.
Independent cyber-attack experts have said if indeed the rogue extensions are the cause, the browser’s developers might share responsibility for failing to vet the programs, assuming they were sold using their marketplaces.
Regardless, the hack still hurts Facebook.
It has been at the center of major security breaches throughout the year and this case will cause questions again about how proactive it is in handling situations like these.
The BBC Russian Service emailed the address listed alongside the hacked details, posing as a buyer interested in buying two million accounts’ details.
A reply came from someone who called himself ‘John Smith.’
The advertiser was asked whether the breached accounts were the same as those involved in either the Cambridge Analytica scandal or the subsequent security breach revealed in September.
The BBC also asked if the group of hackers responsible was linked to the Kremlin. The User said NO.