The Internet is abuzz with the announcement from Verisign’s iDefense Labs that a criminal hacker on a Russian forum who goes by the nom-de-plume "Kirllos" (Carlos?) is selling the credentials for 1.5 million Facebook accounts in batches of a thousand for between $8 and $30, depending upon their quality (which, in this case, means dates of birth, mobile phone numbers, number of friends, geographic locations and so forth).

Once they have the usernames and passwords of Facebook users, criminals can then engage in a variety of criminal activities, ranging from sending Facebook users’ friends to malicious web sites, to impersonations in order to steal money.  If the stolen passwords were used to register for other online services, such as email, financial institutions, online shops and so forth, it could open up a ripple effect of secondary account breaches.

Facebook claims to have over 400 million users, but 1.5 million of anything is a large number and it remains to be seen if so many accounts have indeed been breached or if Kirllos the criminal hacker is perhaps running an audacious scam on fellow fraudsters.

What is interesting to me is how so many accounts may have been breached:  As of the writing of this blog entry, we actually have yet to hear from Facebook on the matter, but the sheer volume of accounts implies something more than simple organic theft via keystroke logging, password stealers or other bot-deployed malware.  Whether the result of a data breach from insufficient security settings; a targeted attack on Facebook employees or the results of insider action, the post-mortem on this will, no doubt, make for fascinating reading.

Regardless of the outcome, it would probably be a good time to change your Facebook account’s password.  My esteemed colleagues Randy Abrams and David Harley have discussed the importance of good password practices extensively, and I’d like to highlight some of my favorite articles from them:

Blog entries by Randy Abrams: Does Your Email Account Give Me Access To Your Bank Account?, Honesty is not The Best Policy for Password Resets, Password Mythology and 12345 Oh My!

Blog entries by David Harley: Password Practice Revisited and Good Password Practice: Not the Golden Globe Award

Both:  Keeping Secrets: Good Password Practice (white paper, PDF format)

We also had a great guest blog contributed from Securing Our eCity: Good Practices for Facebook Newbies (which also has an excellent white paper on password selection here) and an earlier entry I wrote for ESET's Threat blog, Armor for Social Butterflies.

Regards,

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher