Facebook Profiles for Sale on Dark Web

What Happened?

On April 20, 2020, over 267 million Facebook profiles were discovered for sale on the Dark Web — for just $600. Reports connect these profiles to the Facebook data leak found in December 2019, among possibly others. Researchers are still unsure how this data was initially exposed, but they have noted that 16.8 million of the Facebook profiles now contain more information than was originally revealed, including the account holder’s email address, birth date, and gender. These enhanced profiles may be due to several breaches and leaks of Facebook data being combined to complete Facebook user information, increasing value for cybercriminals selling it on the Dark Web, and raising the risk of identity theft for account holders.

On December 19, 2019, Facebook faced criticism for the third time in 2019 when more than 267 million records from the social network were discovered on an unsecured website. The exposed database revealed names, Facebook IDs, and phone numbers of users, and it was accessible to hackers for at least two weeks.

Should I be Worried?

The type of data included in Facebook’s recent leaks — email, phone number, birth date, and account login information — is commonly used for credential stuffing and phishing attacks once discovered by fraudsters or purchased on the Dark Web. It is essential to safeguard your information by updating your passwords, making sure you do not use the same password on multiple accounts, and turn on two-factor authentication to further protect yourself from account takeover attacks. Armed with your email and phone number, scammers can easily craft spear phishing or SMS attacks to steal more personal information or inject malware into your device.

As social distancing requirements continue because of the coronavirus pandemic, social media usage is on the rise. Keep informed on the latest COVID-19 scams and fraud targeting you and your family on- and offline.

3 Tips to Protect Yourself

  1. Post with caution to not over-share. What you post online is permanent, even after a social media account is deleted. Identity thieves can learn a lot about you through social media — like your pet’s name, model of your first car, your high school mascot, and more — all details often used to answer security questions on a variety of sites, including financial and credit card accounts.
  2. Use two-factor authentication whenever possible. Requiring an additional level of security on all accounts and mobile apps can often thwart hackers from gaining access.
  3. Be attentive to links and ads on social media. Be wary of social posts and ads that come across your timelines in social media. They could be part of a “phishing” attack that redirects you to a fraudulent website.