Threat actors are selling more than 309 million Facebook profiles for $623 on dark web sites and hacker forums. 

According to Comparitech, last month, security researcher Bob Diachenko discovered an open Elasticsearch database that contained more than 267 million Facebook records. Most of the users were United States, and many of these records contained a user's full name, their phone number and a unique Facebook ID. 

Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence. The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users. 

Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, shortly after Diachenko discovered the second server, it was attacked by an unknown party. The databases of personal info were replaced with dummy data and database names that read, “please_secure_your_servers”. 

The second server exposed in March 2020 contained the same 267 million records as the previous one, plus an additional 42 million records. It was hosted on a US Elasticsearch server. In addition, 25 million of those records contained similar information: Facebook IDs, phone numbers, and usernames.

16.8 million of the new records contained more information, including:

  • Facebook ID
  • Phone number
  • Profile details
  • Email addresses
  • Some other personal details

How was the data stolen? According to Diachenko, Facebook’s API could have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.

For the full report, visit