Facebook Profiles for Sale on Dark Web

What Happened?

On April 20, 2020, more than 267 million Facebook profiles were found listed for sale on the Dark Web — for only $600. Reports link these profiles back to the Facebook data leak discovered in December 2019, and possibly others. Researchers are still uncertain how this data was first exposed but have noted that 16.8 million of the Facebook profiles now include more data than was disclosed originally, including account holder’s email address, birth date, and gender. These expanded profiles may be a result of multiple breaches and leaks of Facebook data being cobbled together to round out Facebook user information, adding more value for cyberthieves selling it on the Dark Web, and increasing account holders’ risk of identity theft.

Back on December 19, 2019, Facebook came under fire for the third time in 2019 when over 267 million records belonging to the social site were found on an unsecured webpage. The unprotected database disclosed names, Facebook IDs, and phone numbers of Facebook users, and was available to cybercriminals for two weeks or more.

Should I be Worried?

The type of data included in Facebook’s recent leaks — email, phone number, birth date, and account login information — is commonly used for credential stuffing and phishing attacks once discovered by fraudsters or purchased on the Dark Web. It is essential to safeguard your information by updating your passwords, making sure you do not use the same password on multiple accounts, and turn on two-factor authentication to further protect yourself from account takeover attacks. Armed with your email and phone number, scammers can easily craft spear phishing or SMS attacks to steal more personal information or inject malware into your device.

As social distancing requirements continue because of the coronavirus pandemic, social media usage is on the rise. Keep informed on the latest COVID-19 scams and fraud targeting you and your family on- and offline.

3 Tips to Protect Yourself

  1. Post with caution to not over-share. What you post online is permanent, even after a social media account is deleted. Identity thieves can learn a lot about you through social media — like your pet’s name, model of your first car, your high school mascot, and more — all details often used to answer security questions on a variety of sites, including financial and credit card accounts.
  2. Use two-factor authentication whenever possible. Requiring an additional level of security on all accounts and mobile apps can often thwart hackers from gaining access.
  3. Be attentive to links and ads on social media. Be wary of social posts and ads that come across your timelines in social media. They could be part of a “phishing” attack that redirects you to a fraudulent website.