Threat actors tricked Facebook users into giving up their login credentials to lure their friends into bitcoin schemes, but left the stolen info unsecured…
A crime ring appears to have successfully tricked hundreds of thousands of Facebook users into handing over their account login information. Ironically, the fraudsters then unwittingly exposed their own criminal activities by committing one of the most basic security mistakes — they forgot to lock down a cloud database with a password of their own to protect the information they stole.
Cybercriminals Stole Facebook Users’ Passwords to Lure Victims’ Friends into Bitcoin Scams
The hackers allegedly used fake websites posing as legitimate services, like showing Facebook users lists of people who have viewed their personal profiles. The phony sites sent unsuspecting Facebook users to bogus but real-looking Facebook login pages, where the victims were prompted to enter their credentials. This, according to Rotem and Locar, an Israeli security research firm.
Once the scammers had victims’ Facebook usernames and passwords, they would them attempt to lure their friends into bitcoin scams. It appears that hundreds of thousands of Facebook users fell for the scheme. Fortunately, Rotem and Locar reported their findings to Facebook, and the database of stolen credentials is no longer available. Facebook also forced a password reset of affected accounts.