Facebook Blames ‘Malicious Browser Extensions’ for Thousands of Leaked Private Messages

Social network says its security system hasn’t been breached, but that it’s working with law enforcement to thwart hackers

Facebook said on Friday that the release of thousands of private user messages wasn’t the result of a hack of its security system, but rather due to “malicious browser extensions.”

According to a BBC report Friday, hackers were offering to sell private messages for 10 cents apiece. The hackers said they had access to 120 million accounts, but cybersecurity firm Digital Shadows, working for the BBC, was only able to confirm 81,000 profiles had been breached.

“Based on our investigation so far, we believe this information was obtained through malicious browser extensions installed off of Facebook,” Guy Rosen, vice president of Product Management, said in a statement to TheWrap. “We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related.”

A Facebook rep did not name specific malicious browser extensions when asked by TheWrap, saying the company’s internal investigation was still ongoing. Browser extensions can allow hackers to view whatever a user is seeing on their screen. In other words, Facebook is saying the private messages were lifted by hackers viewing someone’s screen, rather than a direct breach of its security system.

The rep added that most of the accounts impacted were from central and eastern Europe and that Facebook has a page dedicated to helping users remove malicious extensions.

The BBC contacted five users who confirmed the hacked private messages were theirs. All five users were from Russia. One of the private messages included vacation pictures, while another discussed a Depeche Mode concert, and a third included an “intimate correspondence between two lovers,” according to the BBC.

“We encourage people to check the browser extensions they’ve installed and remove any that they don’t fully trust,” Rosen said, adding that Facebook has contacted law enforcement and “local authorities” to remove the website displaying the private messages. “As we continue to investigate, we will take action to secure people’s accounts as appropriate.”

Facebook last month announced up to 30 million profiles were vulnerable to a breach of its security system.

The 30 million users that were hit fell into three separate groups. There were 15 million users who had their name and contact info — either their phone number, email, or both, for some users — grabbed by the attackers. Another 14 million had their names and contact info lifted, as well as their “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow” and their “15 most recent searches,” according to Rosen. The remaining 1 million vulnerable users did not have their information compromised by the attack.