Russian hackers are selling private messages from 81,000 Facebook accounts online, an investigation has found.
The messages were posted on a forum by hackers claiming to have access to the personal data of 120 million accounts, offering to sell them at 8p per profile, according to the BBC.
Facebook has denied hackers gained access to its servers and instead blamed the breach on users who have installed malicious web browser extensions that can store private messages.
“We sell personal information of Facebook users. Our database includes 120 million accounts,” one advert said. However, BBC News was only able to verify that data from 81,000 accounts had been stolen.
Cybersecurity expert Joseph Carson, chief security scientist at Thycotic, said that hackers are likely to have exaggerated the amount of data they have available.
“It is very unlikely that the cybercriminals have all the private message for 120 million accounts,” he said. “It is however, more likely that the published list of 81,000 accounts is all that the cybercriminals have, and they are looking to cause disruption and fear.”
The platform where the data was posted appears, or has been made to appear, to have Russian links. It is attached to a St. Petersburg based IP address.
The BBC said it contacted 5 users from Moscow, Belgorod and Perm affected by the breach, who all confirmed that the texts available online were indeed their private Facebook messages.
Sample messages seen include private conversations between several people and intimate holiday photographs which were not supposed to have been made public.
A study by Digital Shadows, a London-based cyber security firm, found 12,000 of the 257,000 users said they were based in Russia and 47,000 said they were from the Ukraine. A number of accounts by users in the UK, US and Brazil may also have been compromised.
Guy Rosen, Facebook’s head of product management said that the company has helped to remove the type of browser extension which caused the issue.
“We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related,” he said.
“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts. We encourage people to check the browser extensions they’ve installed and remove any that they don’t fully trust,” he added.
The intercepted messages found by BBC News highlight the problem of the use of malicious websites and browser extensions which claim to be useful tools for social media but secretly harvest information.
In 2014, more than 100,000 private photographs and videos from Snapchat users, including children, were published online. The files had all been saved by a website which allowed people to save Snapchat messages to view them again later.
The sale of the intercepted messages comes as Facebook attempts to recover from two separate privacy scandals this year.
Facebook said in September that it had suffered a security breach which exposed the data of 50m users. There was no evidence that any private messages or passwords were revealed in the hack, which saw unknown hackers exploit a series of loopholes in the social network to obtain profile information.
The social network has also been fined £500,000 by the Information Commissioner’s Office. The ICO said that Facebook allowed a personality app created by Dr Aleksandr Kogan, the data scientist behind Cambridge Analytica, to access personal data from November 2013.
As well as the 300,000 people who installed the app, it was able to harvest the information of 87m people around the world.