It appears that browser extensions developed by Russian hackers are responsible for the harvesting of private messages of up to 120 million Facebook accounts.
The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be skeptical about that figure.
Facebook said its security had not been compromised.
And the data had probably been obtained through malicious browser extensions.
BBC News says it contacted a number of Facebook users who had data exposed, and the publication was able to confirm that the hack was real.
The cyber-security company Digital Shadows examined the claim on behalf of the BBC and confirmed that more than 81,000 of the profiles posted online as a sample contained private messages.
Data from a further 176,000 accounts was also made available, although some of the information – including email addresses and phone numbers – could have been scraped from members who had not hidden it.
The BBC Russian Service contacted five Russian Facebook users whose private messages had been uploaded and confirmed the posts were theirs.
One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law. There was also an intimate correspondence between two lovers.
For its part, Facebook says its own systems were not breached, and that malicious browser extensions were likely responsible.
“We have contacted browser-makers to ensure that known malicious browser extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.
“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts” […]
Independent cyber-experts have told the BBC that if rogue extensions were indeed the cause, the browsers’ developers might share some responsibility for failing to vet the programs, assuming they were distributed via their marketplaces.
Although Digital Shadows confirmed the hack, they expressed doubts that data was stolen from up to 120 million Facebook users, as it is doubtful that Facebook could have missed such a large data breach.