Security researchers recently discovered a Facebook scam that compromised 13 million records of 150,000 to 200,000 users between June-September 2020. Scammers tricked Facebook users into inputting their login credentials on a spoofed website that promised to show a list of people who had visited their profiles. The scammers would subsequently use these credentials to take over the victims’ accounts and post a set of fake Bitcoin websites on their profiles. The 5.5GB of harvested data, which was stored unencrypted on an Elasticsearch database, included Facebook usernames and passwords, emails, and phone numbers, among other Personally Identifiable Information (PII).
The exposed data puts users at risk of phishing and credential stuffing attacks. Facebook users who think they may have been compromised under this scam should change their credentials without delay. vpnMentor said, “If you reused your Facebook password on any other accounts, change it immediately to protect them from hacking.