It’s true: Facebook has experienced a number of security-related issues lately, including a breach disclosed in September that compromised at least 30 million accounts. But that incident doesn’t explain why tens of thousands of private Facebook messages reportedly ended up for sale on an internet forum the same month, according to the BBC Russian Service. The culprit likely responsible for the leak, Facebook says, is a pest outside of the social network’s direct control: malicious browser extensions. Google, which has over 60 percent of the browser market share, has said the number of malicious Chrome extension downloads has decreased significantly over the past several years, but this breach proves malware-packed browser tools remain an issue.
In September, the BBC reports, a user named FBSaler appeared on an English-language internet forum offering to sell personal information belonging to 120 million Facebook accounts for 10 cents each. The BBC didn’t specify on which forum the seller posted their offer, but the web is littered with marketplaces where criminals sell stolen personal information, such as credit card numbers.
FBSaler posted a sample of their data on a separate web page, and the BBC had it examined by the cybersecurity firm Digital Shadows. The company found that more than 81,000 of the stolen accounts included private messages. The BBC reached out to five Russian users whose data was included, and they verified the messages’ legitimacy.
Digital Shadows also analyzed data from 176,000 additional sample accounts, which included information like phone numbers and email addresses. It’s possible this data was scraped from Facebook users who had posted it publicly, whereas the other accounts appear to have had truly private messages stolen.
It’s not clear who’s responsible for stealing the Facebook data, but the BBC says one of the websites where the stolen information was posted appears to have been set up in Saint Petersburg, Russia. Facebook says the hackers were able to obtain the info using malicious browser extensions, but the company didn’t provide any specifics.
Many of the users whose information was stolen are based in Ukraine and Russia, though some are from the UK, US, Brazil, and other countries, according to the BBC. The hacker selling the data claimed to have information belonging to 120 million Facebook accounts, or roughly 6 percent of the more than 2 billion people who use Facebook each month. They might be bluffing—it’s unlikely that Facebook would have missed a security issue affecting so many users—but there’s no way to know for sure, unless Facebook publicly discloses how many accounts it thinks were impacted. The BBC says that FBSaler’s advertisement for the stolen data has since disappeared.
The good news is that it doesn’t appear Facebook’s platform was compromised in any way. In order to have been affected by this issue, you would have needed to download a malicious browser extension from a place like the Google Chrome store, Firefox Add-ons, or Safari’s Extensions Gallery. It’s not good that Facebook failed to notice that an extension was sucking up user data, but if you’re diligent about downloading plug-ins from trustworthy developers, you shouldn’t be too worried.
“We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related. We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts,” Guy Rosen, Facebook’s vice president of product, said in a statement.
Rosen added that users should check the browser extensions they’ve installed and delete any they don’t fully trust. This incident is a good reminder that free extensions—like, say, shopping tools or bookmarking shortcuts—may be tempting, but they can sometimes come with a malware surprise. It’s also never a bad idea to check you’re not downloading a copycat: Last year, Google caught three malicious extensions masquerading as AdBlock Plus, one of which had been downloaded tens of thousands of times before it was removed.