This means that anyone using a web browser can view the information, which includes more detailed information on how to perform the operation. The discovery comes from Israeli security researchers Noam Rotem and Ran Locar, who published their research on the security website vpnMentor on Friday.
Rotem and Locar reported their findings to Facebook, and the database is no longer public. Facebook forced to reset the password of the affected account.
In order to steal passwords, scammers use websites that pretend to be legitimate services to show them to Facebook users who have viewed Facebook profiles. According to Rotem and Locar, these sites sent them to a fake Facebook login page where the victim entered the account password. It seems that thousands of users have been fascinated by this technique, emphasizing how important it is to ensure that you follow legitimate links and download verified applications before attempting to log in to any service.
Based on the information they found in the public database, Rotem and Locar believe that scammers are using Facebook accounts to post spam content through the victim’s Facebook profile, thereby enticing the victim’s friends to join the Bitcoin project.
This event only marks the latest example of an unprotected database containing sensitive information. Rotem and Locar run software that scans insecure databases on the Internet, and their efforts usually mine consumer data exposed by legitimate companies using poor security practices. Other data found in the exposed database included patient records from plastic surgery clinics around the world, the expected salary of job applicants in some countries, and the ID numbers of moviegoers in Peru.
However, sometimes, it turns out that these data have been stolen or wiped from social media profiles in large numbers, which violates the platform’s policies. Luojia said that he and Rotem initially wanted to know whether the database belonged to Facebook. However, he added, “This is obviously a cybercrime.”
The website that provided data about who viewed the user’s Facebook profile did not fulfill its promise, but did collect Facebook login credentials. With this avenue of theft, scammers impersonated victims and released information about Bitcoin-related services and news. Researchers estimate that thousands of Facebook users clicked on the link and took them to a fake Bitcoin trading platform, where they were required to pay a deposit of about $300 to start trading cryptocurrencies.
Although Facebook provides users with data on how many people viewed the pages they run, the company has stated for years that it will never reveal who is viewing the profile. Despite this, scammers have repeatedly offered to display this information to users over the years, including various fraudulent acts. A simple Google search can find “Who viewed my Facebook page?” It brings up some false and suspicious claims about how people found out.
In this case, it seems to succeed. Rotem and Locar cannot say exactly how many users handed over their passwords to criminal gangs, but they found millions of records in the database, which are estimated to be related to hundreds of thousands of accounts.
“It’s like 2007, right?” Luo Jia said.