Security researcher Bob Diachenko discovered 267 million Facebook profiles being sold on dark web sites and hacker forums for over $600 apiece. Diachenko uncovered the stolen account credentials for sale last month. However, none of the records include passwords, instead containing information that could allow attackers to conduct spear-phishing or SMS attacks.
Diachenko found an open Elasticsearch database that contained the records, most of which included information on US users. The records included a full name, phone number, and a unique Facebook ID. The database has since been taken offline by the ISP hosting it after they were contacted by Diachenko. However, a new server containing the same data plus an additional 42 million records was found and promptly attacked by threat actors who left a message warning owners to secure their servers.
Read More: 267 million Facebook profiles sold for $600 on the dark web
