Hackers have tried to convince potential buyers—and the BBC Russian Service—that they had cracked Facebook’s security and extracted private messages from 120 million accounts. However, according to an outside expert reported by the BBC, it appears likely that at least 81,000 Facebook accounts had their privacy breached. And according to Facebook, the breach is due to malware-containing browser extensions.
“We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related,” Facebook’s vice president of product manager, Guy Rosen, said in a statement.
The hackers originally published an offer in September for personal information related to 120 million Facebook accounts on a English-language forum. This included a sample of data that the BBC had an expert examine, confirming that over 81,000 profiles’ private messages were included. An additional 176,000 accounts had data that could have been scraped from public Facebook pages.
Facebook’s Rosen said that its security wasn’t compromised, and urged people to remove any plug-ins they don’t fully trust. Rosen said the social network had notified law enforcement, had the website hosting the Facebook account data had been taken down.
Depending on the browser, plug-in extensions may be able to monitor a user’s activity on any web page. This typically doesn’t include keystrokes, but extensions can sweep in anything rendered on a page for a user to see, such as public and private messages.
Plug-ins that provide toolbars or insert links for coupons for e-commerce are common. However, with so many extensions available, malicious parties have many options: compromise existing software through insiders or poor developer security; release their own seemingly benign plug-ins that provide a useful function alongside snooping; or buy extensions from developers and then update them to include malware.
So, install at your own risk.