Crime ring exposed trove of stolen Facebook passwords — because they didn’t use a password

facebook logo cybersecurity

Cybercriminals stole Fb passwords and lured their victims’ mates to web sites selling a bitcoin rip-off. Then they uncovered their entire operation on an unsecured database, researchers discovered.

Graphic by Pixabay; illustration by PJDM

Against the law operation seems to have tricked tons of of hundreds of Facebook customers into handing over their account passwords. The fraudsters then uncovered their very own operation by making a primary security mistake: They forgot to lock down a cloud database storing the pilfered login credentials with a password of their very own.

That meant anybody with an online browser might view the knowledge, which included additional particulars on how they carried out the operation. The findings come from Israeli safety researchers Noam Rotem and Ran Locar, who published their research Friday with safety web site vpnMentor. 

Rotem and Locar reported their findings to Fb, and the database is not uncovered. Fb pressured a reset of the passwords for affected accounts.

To steal the passwords, the scammers used web sites posing as authentic providers providing to indicate Fb customers who had seen their Fb profiles. The web sites despatched them to faked Fb login pages, the place victims entered their account passwords, in line with Rotem and Locar. It seems tons of of hundreds of customers might’ve fallen for this trick, emphasizing how vital it’s to be sure you’re following authentic hyperlinks and downloading verified apps earlier than making an attempt to log in to any service.

Primarily based on what they discovered within the uncovered database, Rotem and Locar suppose the scammers have been utilizing Fb accounts to submit spam content material utilizing their victims’ Fb profiles, luring their victims’ mates right into a bitcoin scheme. 

This incident marks simply the most recent instance of an unprotected database containing delicate data. Rotem and Locar run software program that scans the web for unsecured databases, and their efforts usually unearth client knowledge left uncovered by authentic companies with unhealthy safety practices. Different knowledge discovered on uncovered databases contains patient records from plastic surgery clinics world wide, the expected salaries of job seekers in a number of international locations and the national ID numbers of moviegoers in Peru. 

Typically, although, the info seems to have been stolen in hacks or scraped off of social media profiles en masse, in violation of the platforms’ insurance policies. Locar stated he and Rotem initially questioned if the database belonged to Fb. However, he added, “it turned fairly apparent that it is cybercrime.”

The web sites providing knowledge on who seen the person’s Fb profile did not ship on their promise, however they did acquire the Fb login credentials. With that stolen entry, the scammers then posed as their victims and posted about bitcoin-related providers and information. The researchers estimate that tons of of hundreds of Fb customers clicked on hyperlinks that led them to a faux bitcoin buying and selling platform, the place they have been requested to pay deposits of round $300 to start out buying and selling the cryptocurrency.

Although Fb gives customers some knowledge about how many people have viewed a page they run, the corporate has stated for years that it will by no means reveal who appears at profiles. Regardless of this, scammers have repeatedly provided to indicate customers this data in a wide range of frauds through the years. A easy Google search of “who has seen my Fb web page?” brings up a number of false and shady claims about how individuals can discover out.

On this case, the gambit seems to have been profitable. Rotem and Locar cannot say for positive what number of customers handed over their passwords to the crime ring, however they discovered hundreds of thousands of data within the database that they estimate pertained to tons of of hundreds of accounts.

“It really works prefer it’s 2007, proper?” Locar stated.

#Crime #ring #uncovered #trove #stolen #Fb #passwords #didnt #password


Laura Hautala