Facebook users have been warned to change their passwords as 1.5 million Facebook user names and passwords have reportedly been put up for sale by a hacker.
VeriSign’s iDefense group has warned that a hacker, “kirllos”, is advertising up to 1.5 million Facebook user names and passwords for sale, in bundles of 1,000 accounts starting with 10 friends or less for US$25 and bundles of 1,000 for those with more than 10 friends for US$45.
It is thought that already 700,000 accounts have been sold by “Kirllos”, who is believed to be a 24-year-old from New Zealand, but was born in Russia.
It is not known how “Kirllos” came into possession of the Facebook usernames and passwords, however it is most likely he “phished” the log-in details using either spam designed to direct users to log-in to a fake Facebook page that captures their passwords, or malware that logs keystrokes and reports back possible username/email and password details.
It is likely that the buyers of these Facebook log-in’s will use them to commit confidence scams on people’s friends, or as has happened to someone known to Dynamic Business, to send messages to friends that the account’s owner is trapped in a foreign country (in this case London) and needs money to get home.
Additionally having Facebook account information will allow these criminals to compile information for potential identity theft attempts, looking for birth dates, mothers maiden name and the like to use as credentials to gain access to bank accounts and request new credit cards sent to alternate addresses.