Skip to main content

PSA: Check your browser extensions as private Facebook messages exposed

Rogue browser extensions appear to be responsible for Russian hackers obtaining private messages from as many as 120 million Facebook accounts …

The perpetrators offered the data for sale, posting on a website messages from 81,000 accounts to prove that the hack was real. BBC News contacted a number of Facebook users whose data was exposed, and was able to confirm that it was genuine.

The cyber-security company Digital Shadows examined the claim on behalf of the BBC and confirmed that more than 81,000 of the profiles posted online as a sample contained private messages.

Data from a further 176,000 accounts was also made available, although some of the information – including email addresses and phone numbers – could have been scraped from members who had not hidden it.

The BBC Russian Service contacted five Russian Facebook users whose private messages had been uploaded and confirmed the posts were theirs.

One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law. There was also an intimate correspondence between two lovers.

Facebook says its own systems were not breached, and that the data was likely exposed by malicious browser extensions.

“We have contacted browser-makers to ensure that known malicious browser extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.

“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts” […]

Independent cyber-experts have told the BBC that if rogue extensions were indeed the cause, the browsers’ developers might share some responsibility for failing to vet the programs, assuming they were distributed via their marketplaces.

While the hack has been confirmed, Digital Shadows does doubt that the attackers obtained data from as many as 120M accounts.

As with apps, the best policy with browser extensions is to only install ones from developers you trust. The specific rogue extensions identified have been removed, but it’s a good time to check your own extensions to make sure you trust the source of each.

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear