It's important to point out that currently there is no evidence to support the claims made by the hackers, on an internet forum known to be frequented by cyber-criminals, that 120 million account profiles have actually been stolen. All that can be said with any certainty at this stage is that at least some of the quarter of a million profiles exposed by the hackers appear to be genuine. The BBC worked with Digital Shadows, a cybersecurity company specializing in threat intelligence, whose experts confirmed that 81,000 of the profiles contained private messages. The remaining 176,000 accounts also appear to be genuine but the data they contained, such as email addresses and telephone numbers, could possibly have been scraped from public profiles rather than stolen by the hackers. This kind of 'padding out' of compromised account databases is far from uncommon as the bigger the database the higher the price it commands. With the teaser advert, which has now been taken down, asking just 10 cents per account the value of a bigger database becomes clear. However, the BBC Russian Service (most of the accounts are from Russian and Ukrainian users) successfully contacted five Russian Facebook users whose messages were published in the marketing teaser and they confirmed that the posts were, indeed, genuine.
Facebook denies that its security had been compromised, instead the blame seems to fall on the use of malicious browser extensions; it further states that steps have been taken to prevent any further accounts from being compromised. These steps include contacting browser vendors so that the malicious extensions, as yet unnamed, could be removed from their respective download stores. Law enforcement has also been informed, and the website that hosted the stolen messages advert taken down.
It's also worth pointing out, without wishing to start victim-shaming, that this compromise looks like being yet another example of Facebook users opening the door to threat actors by being unable to resist the temptation of some stupid add-on. Who can forget how Cambridge Analytica was able to harvest data from 87 million users simply by creating Facebook quizzes including a 'sex compass' questionnaire that people happily participated in. Of course, the blame doesn't lay with those users as they had no idea their data was being harvested for use during political campaigns. The blame is always firmly sat astride the shoulders of the threat actors themselves, with the browser platforms they use also having to mop up some of that guilt. Victims are just that. In this case it looks like they were using a browser extension that appeared innocent enough yet was acting as spyware and collecting data in the background.
It wouldn't be the first time that such extensions have been used to steal data from Facebook users. Last year Bleeping Computer reported that the Browse Secure extension for Google Chrome was doing just that in the background while the user was performing the encrypted searches it was installed for.