309 million Facebook users personal data is sold on the Dark Web

According to Cyble researchers, 309 million Facebook users profile are being sold in Dark Web for around $540 USD per record. The details include Facebook user IDs, phone numbers, relationship status, email addresses, timestamps of recent connectivity, and age. Passwords aren’t exposed, but this data exposure can facilitate phishing or spear phishing campaigns to trigger further exploitation of the users data.  

How was the Facebook users data exposed?

As per Cyble report, the data could have been exposed by a leak in Facebook’s developer API or from scraping. 

However, this data exposure has multiple existing threads already. Bob Diachenko, a security researcher have spotted the same data exposure by taking down the ISP hosting page and had 42 million records in a elastic search cluster on a different server, and was removed by some unknown entity. Diachenko had partnered with Comparitech (a software review and comparison platform) to identify the database and also discovered it was exposed publicly for almost two weeks now.

Below is the timeline for the overall facebook data exposure, 

Initially the data included only 267 million users and restricted to the US region, however, later 42 million new records were added to this collection.

Below is the fattened database that was exposed,

Stop sharing everything on social media

Though Facebook’s third party developer API had some loopholes, the researchers believe that this data exposure could be more of a scrapping methodology. Stop sharing every personal information on social media, and ensure you have got your privacy settings verified. 

In Facebook, navigate to the Settings & Privacy, and verify your current privacy settings, and update most of it to friends or only me, and also remove search engines outside of Facebook to link your profile. 

Though the hackers hadn’t discovered the passwords yet, this is not a huge milestone for them, as a simple email address and exposed passwords search in the dark web could deliver them a handful of relevant passwords to try on, so if you are using the same passwords for multiple login platforms, then its a jackpot for the cyber criminals.

Four best practices to secure your Facebook account

1. Activate two-factor authentication right away.
2. Ensure your passwords are strong, alphanumerical with special characters and case-sensitive characters.
3. Update your passwords every 60 days, and especially after reading this article update it to the earliest, (If you’re from the United States, update it right away)
4. Verify your privacy settings, remove unknown contacts, and ensure you accept friend request only if you know the person personally. (This is because Facebook is known for fake accounts and scammers, data exposure to fake accounts can also make your data compromised)

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.