Crime ring stole thousands of Facebook passwords, then forgot to use a password

Exclusive: Researchers came across stolen user data in logs stored on a cloud server. It's offline now.

Laura Hautala
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials 2022 Eddie Award for a single article in consumer technology
3 min read

Cybercriminals stole Facebook passwords and lured their victims' friends to websites promoting a bitcoin scam. Then they exposed their whole operation on an unsecured database, researchers found.

Graphic by Pixabay; illustration by CNET

A crime operation appears to have tricked hundreds of thousands of Facebook users into handing over their account passwords. The fraudsters then exposed their own operation by making a basic security mistake: They forgot to lock down a cloud database storing the pilfered login credentials with a password of their own.

That meant anyone with a web browser could view the information, which included further details on how they carried out the operation. The findings come from Israeli security researchers Noam Rotem and Ran Locar, who published their research Friday with security website vpnMentor. 

Rotem and Locar reported their findings to Facebook, and the database is no longer exposed. Facebook forced a reset of the passwords for affected accounts.

To steal the passwords, the scammers used websites posing as legitimate services offering to show Facebook users who had viewed their Facebook profiles. The websites sent them to faked Facebook login pages, where victims entered their account passwords, according to Rotem and Locar. It appears hundreds of thousands of users may've fallen for this trick, emphasizing how important it is to make sure you're following legitimate links and downloading verified apps before trying to log in to any service.

Based on what they found in the exposed database, Rotem and Locar think the scammers were using Facebook accounts to post spam content using their victims' Facebook profiles, luring their victims' friends into a bitcoin scheme. 

This incident marks just the latest example of an unprotected database containing sensitive information. Rotem and Locar run software that scans the internet for unsecured databases, and their efforts typically unearth consumer data left exposed by legitimate businesses with bad security practices. Other data found on exposed databases includes patient records from plastic surgery clinics around the world, the expected salaries of job seekers in several countries and the national ID numbers of moviegoers in Peru. 

Sometimes, though, the data turns out to have been stolen in hacks or scraped off of social media profiles en masse, in violation of the platforms' policies. Locar said he and Rotem initially wondered if the database belonged to Facebook. But, he added, "it became pretty obvious that it's cybercrime."

The websites offering data on who viewed the user's Facebook profile didn't deliver on their promise, but they did collect the Facebook login credentials. With that stolen access, the scammers then posed as their victims and posted about bitcoin-related services and news. The researchers estimate that hundreds of thousands of Facebook users clicked on links that led them to a fake bitcoin trading platform, where they were asked to pay deposits of around $300 to start trading the cryptocurrency.

Though Facebook offers users some data about how many people have viewed a page they run, the company has said for years that it'll never reveal who looks at profiles. Despite this, scammers have repeatedly offered to show users this information in a variety of frauds over the years. A simple Google search of "who has viewed my Facebook page?" brings up several false and shady claims about how people can find out.

In this case, the gambit appears to have been successful. Rotem and Locar can't say for sure how many users handed over their passwords to the crime ring, but they found millions of records in the database that they estimate pertained to hundreds of thousands of accounts.

"It works like it's 2007, right?" Locar said.