Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russian Hacker Selling 1.5M Facebook Accounts

Posted by Soulskill on from the army-of-pokes dept.

Sir Codelot writes "A hacker who calls himself Kirllos has obtained and is now offering to sell 1.5 million Facebook IDs at astonishingly low prices — $25 per 1,000 IDs for users with fewer than 10 friends and $45 per 1,000 IDs for users with more than 10 friends. Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users. Quoting: 'VeriSign director of cyber intelligence Rick Howard told the New York Times that it appeared close to 700,000 had already been sold. Kirllos would have earned at least $25,000 from the scam. Howard told the newspaper that it was not apparent whether the accounts and passwords were legitimate, but a Russian underground hacking magazine reported it had tested some of Kirllos' previous samples and managed to get into people's accounts.'"

29 of 193 comments (clear)

  1. Translation by eldavojohn · · Score: 5, Insightful

    Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users.

    Translation: it might not be a bad time to change your password if you use Facebook.

    --
    My work here is dung.
    1. Re:Translation by Bergs007 · · Score: 5, Insightful

      Actually... what this means is that you should change your banking passwords. It appears that what they are trying to do is use Facebook login credentials to go and see if there are any associated bank accounts with the same login information.

    2. Re:Translation by pitchpipe · · Score: 4, Insightful

      Translation: it might not be a bad time to change your password if you use Facebook.

      Actually... what this means is that you should change your banking passwords.

      Actually... what this means is that you shouldn't use the same password for more than one site. You should use an app that is encrypted and password protected to store all of your login info.

      --
      Look where all this talking got us, baby.
    3. Re:Translation by human+spam+filter · · Score: 4, Interesting

      Being from Europe I was pretty surprised when I came to the US and learned that virtually all* banks use ordinary passwords for online banking.. *the ones I know of: Citi, Bank of America, US Bank

    4. Re:Translation by tomhudson · · Score: 4, Interesting
      1. Write script to make a million face facebook accounts, friend each other at random
      2. Sell fake accounts.
    5. Re:Translation by __aaclcg7560 · · Score: 4, Funny

      Basically make everything the fault of the victim even if it's clearly not their fault.

      And charge a fee. Remember, in the financial industry, you're criminally stupid if you don't make money off the mistakes of those around you. That's American capitalism for you.

    6. Re:Translation by Hurricane78 · · Score: 4, Funny

      As if you needed a password to get the data of a Facebook account...
      Dude, just ask Zuckerberg nicely. You’re by far not the first one he sold account data out to.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    7. Re:Translation by tixxit · · Score: 3, Insightful

      Meh. I maintain separate passwords for my bank, paypal, and a select few other sites. All others gets a default password. If someone hacks my Slashdot account, I'll create a new one. Not a huge deal. Really, the ideal is just for everyone to move to OpenID.

    8. Re:Translation by halcyon1234 · · Score: 3, Insightful

      Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users.

      Translation: it might not be a bad time to change your password if you use Facebook.

      If Facebook was concerned about the safety of their users, why not just go UPDATE users SET must_reset_password = 1; Throw a reCaptcha onto the reset page, too, so the "hacker" can't automate that process.

      Of course there's a fatal flaw in my plan. "If Facebook was concerned about the safety of their users..."

      --
      UTF-8: There and Back Again
    9. Re:Translation by The+Snowman · · Score: 4, Insightful

      Actually... what this means is that you shouldn't use the same password for more than one site. You should use an app that is encrypted and password protected to store all of your login info.

      Suggestions?

      Password Safe.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
    10. Re:Translation by xZgf6xHx2uhoAj9D · · Score: 3, Insightful

      If you're too lazy to actually come up with unique passwords for each site and you happen to have OpenSSL installed (who doesn't?), you can automatically figure out all your passwords only having to remember one.

      Come up with a base password, for the sake of argument let's say ABCDEF. For each site, append the name of the site to your base password. E.g., for Slashdot, it's ABCDEFslashdot. "echo ABCDEFslashdot | openssl sha1" yields your password of 040b6c2fb4d5858ad21810deb8e9ee2eb804e2a7. From that password it is intractable to determine what your base password was and hence what your other passwords are.

      Some sites require special characters or, even worse, have maximum password lengths (which would suggest they're storing your password in plaintext, yikes). Fuck those sites.

    11. Re:Translation by Gilmoure · · Score: 4, Funny

      Dude! Five digit ID. I am not losing my slashdot account!

      --
      I drank what? -- Socrates
  2. I'll take them by kyrio · · Score: 5, Funny

    I can increase the size of my friend network and be the biggest star on the net!

  3. NOOO! by Anonymous Coward · · Score: 3, Funny

    What is going to happen to my beautiful farm :(

  4. Great PoE by BountyX · · Score: 4, Insightful

    I'm suprised they are not worth more since they represent a great point of entry for social attacks. Think Personalized spam (i.e. "Hey John, I think Laura wanted you to buy this for the concert you are attending next week"), targeted dictionaries, localized phising (i.e. location data deploys phising to compromised machines near you). Once you break a single friend in the "network" you gain additional information to everyone in that scope, so the return on entry is very promosing. An attacker can begin profiling ideal targets in the guise of friends. Ah, so many possibilties. Such a gold mine.

    --
    Trying to install linux on my microwave, but keep getting a kernel panic...
    1. Re:Great PoE by Bigjeff5 · · Score: 3, Interesting

      The wonderful thing about his product though, is that he can keep selling it even after he has sold it.

      He doesn't have 1.5 million accounts to sell once, he has 1.5 million accounts to sell over and over and over. He may only be able to get $50k for the lot, but he can sell them all a dozen times. Depending on if they catch him or not, and how effective they are at getting people to change their passwords (the only way to make the accounts worthless), this guy could make half a million dollars or more pretty easily.

      --
      Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
    2. Re:Great PoE by phillips321 · · Score: 4, Funny

      The wonderful thing about his product though, is that he can keep selling it even after he has sold it.

      He doesn't have 1.5 million accounts to sell once, he has 1.5 million accounts to sell over and over and over. He may only be able to get $50k for the lot, but he can sell them all a dozen times. Depending on if they catch him or not, and how effective they are at getting people to change their passwords (the only way to make the accounts worthless), this guy could make half a million dollars or more pretty easily.

      Not if I'm the first to buy them and change the passwords on the accounts....

    3. Re:Great PoE by Anonymous Coward · · Score: 3, Interesting

      Yes, but that would make the accounts worthless pretty quickly. The "value" of the account is that both the buyer and the actual account owner know the password. So it looks like a completely legitimate thing when the buyer (pretending to be the actual account owner) sends messages to the account owners "friends" asking them to go to certain sites, run certain "cool" programs, etc. The value goes down pretty quickly if the original owner is locked out by a password change and tells all their "friends" that they can't get in to Facebook anymore and had to make a new account. It makes any messages coming from that old account pretty suspicious even to the average idiot user.

    4. Re:Great PoE by timeOday · · Score: 3, Funny

      He may only be able to get $50k for the lot, but he can sell them all a dozen times.

      Are you impugning the dignity of this entreprenuer? A man's word is his bond, and the most valuable asset he possesses. I'd be surprised if he isn't contacting legal counsel to initiate legal action against you for defamation of character as we speak!

  5. Koobface by fineous+fingers · · Score: 3, Informative

    Hmm, maybe 1 out of every 300 Facebook users' computers is infected with Koobface......
    http://news.cnet.com/8301-1009_3-20002112-83.html

  6. Play with fire by Becausegodhasmademe · · Score: 5, Insightful

    According to the Facebook statistics page the average account has 130 friends. If 1 in 300 accounts are compromised and you have circa 130 friends then the odds are quite high that the personal data you have "only available to friends" is going to become available to some fairly unfriendly people shortly.

    Reminds me of the evertrue saying 'play with fire and you'll get burnt'. I have always been mindful of the threat FB poses to my privacy and have completely closed down my account several times, but keep giving in and going back due to peer pressure from family & friends. This time I'm killing it off for sure. No organization, be it governmental or corporate should have control over so much of an individuals personal data.

    1. Re:Play with fire by Anonymous Coward · · Score: 3, Informative

      For those of you who don't know how to leave Facebook... http://www.facebook.com/help/contact.php?show_form=delete_account

    2. Re:Play with fire by Ron+Bennett · · Score: 3, Informative

      No one forces you to fill in all the information. Just have a page with your name on it if friends and family want you to have one. Just leave blank all the other sections. Then you have no problems with your personal information.

      Wrong! This is one of the biggest misconceptions people have. The true value isn't one's profile per se, but who one's "friends" are and the various interactions between them.

      Unless your friends are all strangers who know little about you, your personal information is likely more exposed on Facebook than you realize. Often I see instances of a parent, sibling, in-laws, significant other, etc post personal details on one's Facebook wall, gallery, etc that are often visible to others on one's friend list, and even often to friends of friends too.

      And that's not even getting into the issue of rogue friends, which can easily sneak in to gather information; among the value of stealing FB IDs ... it's not always about getting passwords, but rather collecting data for other uses, such as, spear-phishing / more targeted attacks - learning one's security questions they have setup on say a banking site.

      Ron

  7. FB has been quite liberal with users' privacy by blind+biker · · Score: 4, Informative

    ...and yet, time after time, FB users ignored the abuse and kept on using the service. I really have little sympathy for such blatant and above all, stubborn disrespect for one's own security. And for what? To have "virtual friends"? To "keep in touch"? Both friends, conversing and socializing are more fulfilling when done in some of the more traditional ways.

    --
    "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    1. Re:FB has been quite liberal with users' privacy by Anonymous Coward · · Score: 4, Insightful

      You know, I really despise these "High and mighty" posts about how all FB users are irresponsible idiots. There are a number of great uses for Facebook, and many of us actually PREFER to be contacted via facebook by our friends, rather than the endless deluge of phone calls and text messages. If you're having a get-together, I'd much rather you invite me on FB than tell me in person, because chances are, I'm going to forget. And I don't really see the point of the privacy crap either. I only put information on a social site that I'm comfortable sharing socially. I don't get it.

    2. Re:FB has been quite liberal with users' privacy by Haeleth · · Score: 3, Insightful

      Both friends, conversing and socializing are more fulfilling when done in some of the more traditional ways.

      Like what? Email, so my messages can get lost in the sea of spam? Phoning, during the roughly 1 hour each day when both I and my overseas friends are awake and at home, and they're exhausted after a long day and I'm rushing to get off to work? Maybe I should just hop on a plane every weekend to meet people face to face -- I'm sure that would be a fulfilling use of my time and money!

      Sorry, but services like Facebook fill an important gap that nothing else really caters for. If you don't like it, think of something better, but don't go round bashing it just because you personally have never moved out of your home town or made any friends who lived more than a street away.

    3. Re:FB has been quite liberal with users' privacy by rliden · · Score: 3, Insightful

      I have a FB account. I have reestablished contact with old friends and very distant family members I didn't otherwise have contact with. The alternative to finding someone you have lost contact with (if your other close family and friends don't know where someone is or how to contact them) is by searching Google and hoping you find a reasonable match. Even then most sites that find a person for you want an idiotic amount of money and a buy in to their scam service to get the contact info. Then there isn't a guarantee that it is the right person or the contact info is still relevant.

      People do use FB for more than asking someone to fertilize their crops or signing some mob-mentality world solving petition. It's possible to use social networking in a responsible manner. Facebook does seem to have a blatant disregard for their users and it's possible that a better service will come along and people will move to it. Another point condescending pedants might be missing is the exposure of security and privacy risks can help to educate people who might not otherwise even know about them. That is, just because people aren't using social networking doesn't make them any more safe on the internet. There were plenty of online scams and security risks before social networking; at least now people can communicate the nature of them and educate users how to safeguard themselves. One of the first things I did after seeing that CBS news story is post it on FB so that people could change their FB and email password info.

      --
      Don't think of it as a flame, more like an argument that does 3d6 fire damage.
  8. Re:Can someone please tell me... by larry+bagina · · Score: 5, Funny

    1. collect facebook ids
    2. ???
    3. profit!

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  9. Don't hate the players... by msimm · · Score: 3, Insightful

    ...Don't hate the players hate the game dawg!

    Facebook users aren't security experts, they're family members, friends and loved ones. You remember those, right?

    Living in my IT bubble in San Diego it was easier for me to bag on Facebook and 'look down' on it's users but now that I'm unemployed and living temporarily with family I seen how useful it is for them to keep in touch with friends and relatives in a way that letters or email simply can't emulate.

    Besides, if we really thought Facebook was that bad instead of bitching about it we'd be the talent pool responsible for creating a better alternative (unless you believe that only venture-funded MBAs can take on such a technological challenge). For instance, I've never liked any of the popular/available dating sites, so what do you think I'm doing while I learn Mongodb in my free time?

    --
    Quack, quack.