Crime Ring stole thousands of Facebook passwords, then forgot to use a password

A criminal operation appears to have prompted hundreds of thousands of Facebook users to pass on their account passwords. The scammers then exposed their own operation by making a basic security mistake: They forgot to lock down a cloud database storing the stolen login information with a password of their own.

This meant that anyone with a web browser could view the information, which included more details on how they performed the operation. The findings come from Israeli security researchers Noam Rotem and Ran Locar, who published their research on the security website vpnMentor on Friday.

Rotem and Locar have reported their findings to Facebook and the database is no longer exposed. Facebook has forced the reset of passwords for affected accounts.

To steal the passwords, the crooks used websites masquerading as legitimate services offering to show Facebook users who had viewed their Facebook profile. The websites sent them to fake Facebook login pages, where victims entered their account passwords, according to Rotem and Locar. It seems that hundreds of thousands of users have fallen for this trick, stressing how important it is to make sure you follow legitimate links and download verified apps before trying to log into a service. .

Based on what they found in the exposed database, Rotem and Locar believe that the crooks were using Facebook accounts to post spam content using their victims ‘Facebook profiles, luring their victims’ friends into a Bitcoin system.

This incident is just the latest example of an unprotected database containing sensitive information. Rotem and Locar run software that scans the Internet for insecure databases, and their efforts typically uncover consumer data left exposed by legitimate companies with poor security practices. Other data found on exposed databases include patient records from plastic surgery clinics around the world, expected salaries of job seekers in several countries, and national ID numbers of moviegoers in Peru.

Sometimes, however, the data turns out to have been stolen in hackers or mass deleted from social media profiles, in violation of platform policies. Locar said he and Rotem first wondered if the database was owned by Facebook. But, he added, “it has become quite obvious that this is cybercrime.”

The websites offering data about who viewed the user’s Facebook profile failed to deliver on their promise, but they collected the Facebook login information. With this stolen access, the crooks then posed as their victims and posted information on bitcoin-related services and news. Researchers estimate that hundreds of thousands of Facebook users clicked on links that took them to a bogus Bitcoin trading platform, where they were asked to pay deposits of around $ 300 to start trading. cryptocurrency.

Although Facebook offers users data on how many people have viewed a page they operate, the company has said for years that it will never reveal who is viewing profiles. Despite this, scammers have repeatedly offered to show users this information in a variety of scams over the years. A simple Google search for “who viewed my Facebook page?” brings up several false and shady claims about how people can find out.

In this case, the gambit seems to have succeeded. Rotem and Locar can’t say for sure how many users turned their passwords over to the criminal network, but they found millions of records in the database that they said involved hundreds of thousands of accounts.

“It works like in 2007, right?” Locar said.