Over the weekend, researchers at cybersecurity intelligence firm Cyble came across a database with 267m Facebook user profiles being sold on the Dark Web.

Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it … for the grand total of £500.

That works out to USD $540 or about 0.0002 cents per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.

Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.

How did the data get leaked? In a blog post, Cyble said that it doesn’t know, but its researchers suspect that the records could have either come from a leak in Facebook’s developer API or from scraping: the automatic sucking up of publicly available data (like the kind people often publicly post on Facebook and other social networks).

It keeps popping up

The story doesn’t stop there, however. In fact, it doesn’t begin there, either. It turns out that this same database had been posted before; spotted by security researcher Bob Diachenko; taken down by the ISP hosting the page; reappeared, fattened up with another 42 million records in an Elasticsearch cluster on a second server; and then been destroyed by unknown actor(s) who replaced personal info with dummy data and swapped in database names labelled with this advice: “please_secure_your_servers”.

Diachenko partnered with the tech comparison site Comparitech on this work last month. Comparitech said that the database was exposed for nearly two weeks, available online with no password protection, before it was taken down.

The timeline

This is what happened when, Comparitech says:

4 December 2019: Database first indexed by search engines.

12 December 2019: The data was posted as a download on a hacker forum.

14 December 2019: Diachenko discovered the database and immediately sent an abuse report to the ISP managing the IP address of the server.

19 December 2019: Access to the database was removed.

2 March 2020: A second server containing identical records plus an additional 42 million was indexed by search engine BinaryEdge.

4 March 2020: Diachenko discovered the second server and alerted the hosting provider.

4 March 2020: The server was attacked and destroyed by unknown actors.

The initial breach exposed 267,140,436 records of what were mostly Facebook users in the US. Diachenko said that all of the records seemed to be valid. The same 267m records were exposed on the second server in March 2020, but this time, the exposure included an additional 42 million records, hosted on a US Elasticsearch server.