This morning, the British Broadcasting Corporation (BBC) published an article detailing how online actors had obtained and advertised at least 81,000 Facebook user accounts for sale. Digital Shadows (now ReliaQuest) assisted the BBC with its investigation, which included verifying the dataset in question. With so much confusion around the origins of these accounts and the potential impact on Facebook users, here are five things to know that will help you cut through the noise:

  1. The dataset contains 257,256 profiles, of which 81,208 have private messages included. The dataset provided to us by BBC journalists was a searchable repository of Facebook profiles sorted by location. Profile information such as names, addresses, contact numbers, and interests were included, along with friends, groups and private messages in some cases. Although the repository had a tab for user photos, the dataset we analyzed did not contain any images.
  2. The majority of the profiles belong to users located in Ukraine. The data repository is divided by user geography, meaning you can select the particular country from which you want to view profiles. Roughly 30 percent of the profiles in the 257,256 dataset are Ukraine-based. Nine percent located in Russia. Users in the United States, the United Kingdom, and Brazil are also represented.
  3. The sellers claimed to have access to 120 million accounts and offered these on the BlackHat SEO forum. The seller provided the 257,256 profiles we analyzed as a sample. The seller, “FBSaler” advertised the accounts on BlackHat SEO, and online forum primarily used for sharing tips and tools on search engine optimization and online marketing techniques (Figure 1). The majority of threads on this site involve users discussing different ways of boosting search rankings. The type of goods generally sold are proxies, old social media accounts, and web-hosting services.


fbsaler post

Figure 1: FBSaler post published on BlackHat SEO forum


Digital Shadows (now ReliaQuest) cannot confirm whether the seller genuinely has access to the 120 million accounts that they claim. We have only been able to analyse the 250,000+ profiles provided to us as part of this investigation. While unconfirmed, it would be unlikely that the compromise of such a large number of accounts (over 5% of Facebook’s entire active userbase) would go unnoticed by Facebook.

  1. There is no indication that these accounts are related to the Cambridge Analytica controversy. When Facebook account compromises make the news, there is now always a rush to connect it to the Cambridge Analytica controversy that came to light last year. It is tough to say anything definitive about attribution for this data. Although Cambridge Analytica allegedly had access to approximately 1,500 accounts with private messages, the 81,000 accounts with private messages included in this dataset, as well as the geography of these profiles and the timing don’t support a Cambridge Analytica connection. The dataset we obtained appears to be from this summer, with messages and accounts dated in 2018. The Cambridge Analytica data came from a survey app operated by a researcher named Aleksandr Kogan, compiled in 2015.

The title of the data repository we analyzed claimed it was a Cambridge Analytica archive. With no evidence to corroborate these claims, it seems the seller was merely attempting to make the dataset more attractive by using the Cambridge Analytica name.

  1. The method used to obtain the accounts remains unconfirmed, though Facebook believe malicious browser extensions could have been used. Facebook have still not been definitive about this, though it said it had contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores. A rogue survey application as used by Kogan is known to have worked in the past; however, account takeovers achieved through credential harvesters, for example, are also a possibility. While a variety of separate breaches may have been used to compile the dataset, it is more likely a single approach was used given the consistency of the data in the dump.

In September 2018 Facebook announced that at least 50 million user accounts might have been at risk after a bug allowed attackers to obtain access tokens. Facebook stated it had reset access tokens of all users affected. It also claimed its investigations had not indicated that the tokens were used to access private messages or posts related to these accounts. At this moment, there is nothing to suggest the 257,256 profiles we observed are associated with the aforementioned bug.

Political motives seem at odds with how this data is publicly available unless the data was stolen or subsequently passed on from those who originally collected it. Regardless of attribution, motives and the method of collection, the exposure of private messages where people share information they would not usually post publicly on their Facebook feeds is a potentially worrying development. Sensitive information may be used for extortion of identity fraud, while it’s not unheard of for individuals to share financial information such as banking details over private messages.

That said, this discovery should not be a cause for paranoia or unnecessary hysteria. It’s important to remember that simple security precautions still apply. Not reusing passwords across sensitive accounts (personal and business emails, social media sites, and online banking) and making sure these aren’t easy to guess are still effective ways of mitigating account takeovers. Facebook also enables two-factor authentication, which is another measure you’d be remiss to ignore.


We’ve also recorded a ShadowTalk podcast episode on this topic. Listen here:

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.


Photon logo small