Bogonil Shopov, a Bulgarian blogger, says that he has managed to purchase 1 million Facebook users for a mere $5 – a pittance for email marketers and spammers. The data was sold on a site called “Gigabucks”, and so far, the Facebook ID seemed legitimate, so the Facebook security team has promptly contacted Bogonil.
According to Bogonil, Facebook wanted to keep their conversation “a secret”, here’s an extract of the Facebook email he published on his blog:“Now we would like you to send us this file, delete it, tell us if you have given a copy of it to someone, give us the website from which you bought it including all transactions with it and the payment system and remove a couple of things from your blog. Oh and by the way, you are not allowed to disclose any part of this conversation; it is a secret that we are even having this conversation.”
How was the data gathered? Well, according to the seller, it is done through apps – which would be the easiest way to do so. It can be easy to be scammed into accepting an app to see some content that a “friend” recommended you, and scammers have proven to be very creative by using the latest viral events to fool people into installing an app.
If you are using Facebook apps, you have to be very vigilant upon accepting new ones. If you are using apps, you can go to “Privacy Settings > Ads, apps and Websites > Edit Settings > How people bring your info to apps they use” and make tweaks there. Be safe!
Update: Facebook has contacted Ubergizmo to say that the company is investigating this matter vigorously and to make clear that once they have identified the person(s) responsible for this, they will press criminal charges. In the meantime, its security team is working furiously to get to the bottom of this. Here is a statement that we got from a Facebook representative:
“Facebook is vigilant about protecting our users from those who would try to expose any form of user information. In this case, it appears someone has attempted to scrape information from our site. We have dedicated security engineers and teams that look into and take aggressive action on reports just like these. We continue to investigate this specific individual.”
A noteworthy detail: Facebook used the word “scrapping” here, which tends to be used when public data is gathered automatically, but with the security investigation still underway, the idea that this data came from one or more apps cannot be excluded. In any case, this is a reminder that when you connect to an app for the first time, there is a list of privileges that you grant to it. Many people don’t really pay attention to that, but really, you should. Look at this Facebook privacy tutorial.