The news dropped that criminals are selling the private messages of 81,000 Facebook account for 10 cents per account on the Dark Web. These bad actors also have access to the information of 120M Facebook users.
Rich Campagna, CMO at Bitglass:
“Malicious browser extensions highlight the harsh reality that an unknown vulnerability can pose a major threat to data security and brand reputation. It is the responsibility of companies to ensure appropriate configurations, deny unauthorized access, and protect sensitive data at rest.
In addition to losing login credentials, this hack likely exposed a plethora of sensitive personal information. It will be interesting to see how Facebook users respond. This (when added to the growing list of cybersecurity lapses at the social media giant), could significantly harm consumer trust in the company.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“The 81,000 hacked Facebook data in this instance were not part of the data that was leaked by Cambridge Analytica nor the September security breach. Instead, the data was gathered by rogue browser extensions. Facebook didn’t specify which browser extensions were to blame, but it wouldn’t be the first time that popular browser extensions turned out to be malware. Extensions, also called plug-ins, are like apps that you install on your browser. Given enough permissions, they could conceivably gather information from pages visited and send the data back to a hacker-owned command and control center.
I”t’s important for people who use Chrome and Firefox to properly vet the extensions they install. Second, everyone with a Facebook account should limit who can see their posts to “Friends” instead of “Friends of friends”, the latter being the default. The report indicates the extensions used pulled data from victims’ friends accounts as well. If a friend of a friend installs an infected extension, it could possibly pull personal data from your account. Reducing visibility won’t fully protect you, but it will lessen the attack surface.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.