A research team at vpnMentor has recently discovered a potential scam that might have stolen login credentials and credit card details of hundreds of thousands of Facebook users. The VPN service provider said that it found the scam through an unsecured database that was used by the hackers to store the private data of 100,000s Facebook users.

The hackers reportedly used a very common trick, where they offer users on the platform a tool to find out who recently visited their profiles. Vulnerable Facebook users, without knowing that it is a trap, fall into it and disclose their private information such as login credentials and payment credentials.

Victims’ Facebook accounts were accessed by hackers using the stolen login credentials. They went on to post spam comments via these accounts, directing people to a number of fake Bitcoin trading platforms, a very common practice among online fraudsters these days (Twitter faced a BitCoin cyberattack earlier this year as well). These fake Bitcoin trading websites dupe people into paying ‘deposits’ of around 250 Euros.

The unsecured Elasticsearch server that was discovered contained 13.5 million records that amounted to over 5.5GB of data. These records included Facebook login credentials (usernames and passwords) of 150,000 to 200,000 Facebook users; outlines for comments that the hackers would use to trick people into a Bitcoin scam; Personally Identifiable Information (PII) data such as emails, names, and phone numbers from users who had landed on the Bitcoin page; and domains for the websites used in the scam.

The unsecured database was first discovered on 21st September 2020 by vpnMentor’s research team. The VPN service wasted no time and immediately reported the case to Facebook the same day. On 22 September, the database was wiped out following a Meow cyberattack.

vpnMentor said in its blog, “Sometimes, the extent of a data breach and the database’s owner is obvious, and the issue is quickly resolved. But rare are these times. Most often, it takes days of investigating before we understand what’s at stake or who’s leaking the data. In this case, the incident didn’t originate from Facebook. The exposed database belonged to a 3rd party using it to process Facebook account login credentials obtained illegally via a group of scam websites targeting the social network’s users.”

vpnMentor claims that the records in the database were collected during the time period of June to September 2020. However, it also says that most probably the operation was more extensive and was being carried out for a far longer time.