What Spammers Could Do With Your Hacked Facebook Data

A new report suggests that spammers, not nation states, may have been behind the Facebook hack. That could be even worse news.
Image may contain Furniture Table Human Person Computer Keyboard Electronics Computer Hardware Keyboard and Computer
Employees work inside the 'War Room' ahead of Brazil's runoff election at Facebook Inc. headquarters in Menlo Park, California, U.S., on Wednesday, Oct. 17, 2018.David Paul Morris/Getty Images

When Facebook announced at the end of September that it had suffered a data breach that ultimately affected 30 million accounts, it seemed, perhaps, like the work of sophisticated nation state hackers. But a new report from The Wall Street Journal suggests spammers as the culprit instead. That shouldn't make you feel that much better, though, given just how much damage criminals can do with the kind of information stolen from Facebook.

It was, after all, a lot. The sophisticated daisy chain attack that the hackers pulled off garnered the names, phone numbers, and email of 15 million Facebook users. Fourteen million more had their username, date of birth, gender, devices they used Facebook on, and language settings compromised at the very least. Hackers could also have gleaned relationship status, religion, hometown, current city, work, and education info, depending on how fully victims had filled out their profile, along with the 10 most recent locations they checked into or were tagged in, and their 15 most recent Facebook searches. (Here's how to find out if you were affected, and how badly.)

All of which becomes particularly dangerous in the hands of spammers.

"Having accurate, detailed data, and a large amount of data, makes spamming campaigns more profitable," says Jérôme Segura, lead malware intelligence analyst at the network defense firm Malwarebytes. "And this Facebook data is very unique. It has a lot of value, because it's from people supplying the information genuinely and saying 'I checked in at this hotel or here are some of my interests.' It's a priceless database trove for marketers."

For now, Facebook won't weigh in publicly on who was behind the attack. Guy Rosen, the social network's vice president of product management said repeatedly in a call with reporters last week that, “The FBI is actively investigating and have asked us not to discuss who may be behind this attack.” The company reiterated this to WIRED on Friday.

The possibility that scammers were behind the theft, though, highlights the ways in which centralized data repositories like email accounts and social media profiles are potential gold mines for—and frequent targets of—phishers, spammers, and shady marketers.

Granular data helps spammers craft maximally convincing emails, SMS messages, and calls. The data not only helps improve the general verisimilitude of broad spam campaigns, but also makes it easier to specifically tailor scams to individuals. For example, in one popular scam, an email threatens to release compromising photos of you, and uses information like your old passwords and your phone number to make it seem like the attacker really does have dirt. The more credible they seem, the more likely you are to pay them off. If you were compromised in the Facebook hack, they now also potentially know where you live, where you've worked, and where you've been.

Attackers can use that sort of detailed information in all sorts of other ways, as well. Segura points out that a trove like the one stolen from Facebook would be valuable for launching massive malvertising campaigns that try to entice web users to click on malicious ads, since it contains so many indicators of a person's background and preferences. And having such granular data about people would enrich all sorts of phishing attacks and so-called "business email compromise" scams, in which attackers try to gain access to email accounts within a business to gain credibility, and then influence malicious activity like payments to the attacker. You're a lot more likely to think an email is really from your boss if she's referencing your upcoming birthday, and the work trip you went on to Cleveland in the fall. Phishers and BEC scammers could also use details from the breach to send convincing messages externally, posing as a company's client, for example, or a disgruntled customer.

And then there's the matter of stolen identities.

"Facebook is the new stolen credit card in terms of the data and value it provides criminals," says Tom Kelly, CEO of the identity protection company ID Experts. "Many people do not realize the effect the recent Facebook breach has had on their risk for identity theft or know how to protect themselves."

This is one of the most complicated impacts of the Facebook breach. While the stolen data could fuel online scam campaigns for years, consumers have little recourse against malicious advertising and persuasive phishing and spam attacks. As always, monitoring financial and social media accounts for suspicious activity, avoiding messages that suddenly create a sense of urgency to act on something, and staying suspicious of links and unexpected communications are all ways to avoid scams. But when fraudsters are armed with accurate and extensive data, their attempts become that much harder to dodge. And some of the ammunition they now have will last a lifetime.

"The type of data unfortunately in the case of Facebook is not something you can change easily, it’s not like a credit card breach where you can apply for a new card or change accounts," Malwarebyte's Segura says. "Your personal information, your name and what you do, your preferences and all of that tends to remain pretty static over the years, so unfortunately once the data is out there it becomes a threat."

Facebook has also said that it will not provide free identity theft protection to breach victims, a common offering in the wake of a massive data exposure.

The Facebook breach will continue to have an impact long term, and if the data is in the hands of scammers it could evolve through multiple phases of use. The attackers who took the data may monetize it themselves for months or years while they wait for law enforcement to move on from the incident. Later it may emerge on criminal marketplaces to take on a whole second life. And from there it would circulate and be repurposed in all different scams for years.

Though unanswered questions remain about the Facebook incident, the 30 million users who had some data pilfered from their profiles—and particularly the 14 million who lost granular, deeply personal data—are now exposed to a whole new degree. And if spammers really were behind the hack, the sophistication and brazenness of the Facebook attack indicates a troubling escalation.

"This should serve to highlight the point that even spammers are employing new and increasingly advanced attack methods," says Jake Williams, a former NSA analyst and founder of the security firm Rendition Infosec. "They have to get better to survive. The gap between 'nation state' and 'nuisance spammer' is definitely shrinking."


More Great WIRED Stories