The database was owned by cybercriminals who hacked Facebook accounts and used them for credit card and Bitcoin scams.
Facebook has been criticized several times for harboring criminals engaging in malicious activities on its platform, even if it’s unintentionally. In the latest, researchers from vpnMentor have reported on another case where a phishing and credit card scam was caught on Facebook with over 100,000 victims across the world.
The scam was run through a tool in which the threat actors told users that they would know the identities of the otherwise anonymous visitors to their Facebook profiles.
In order to know so, users had to provide their login credentials which led the attackers to access their accounts and use it for nefarious purposes such as posting spam comments that led to one of their fraudulent websites especially those hosting Bitcoin scams.
If a user visited one of these websites, they were opened to a Bitcoin trading platform which of course was fake and tried to defraud users into giving up amounts starting from 250 Euros.
Phishing page that stole Facebook credentials (Image: vpnMentor)
Now, how were they finally caught?
Most companies leave unsecured databases wild out in the open but sometimes attackers do so too. This is exactly what happened here as the attackers left their Elasticsearch database with the sensitive information (credentials & IP addresses) of almost 100,000 victims worth over 5.5 GB available for everyone’s view using which the researchers exposed them.
In a blog post, researchers stated that to verify that the database was indeed composed of real data, the researchers “entered fake login credentials on one of the scam web pages and verified they had been recorded”.
However, they were not the ones to finally take down the database. Coincidentally, the ongoing infamous Meow attack campaign targeted the database and destroyed all the data after which the original scammers allegedly took down the database offline.
To conclude, Facebook was not involved in the incident but they were contacted due to the fact that the scam was being done by manipulating their users, something they should focus on preventing in the future by implementing security measures such as enhancing their comments spam regulation on an automated basis.
For the future, if you believe you may have been impacted by this, you should change your passwords immediately and refrain from re-using them on other platforms as well.