Facebook & Twitter Apps Exploited to Profit From Private Data

A person claiming to be an apps developer is selling a list of over 1 million data files on Facebook users and 300,000 Twitter users, including email addresses, for $5. The developer claims to have collected the information through social apps.

Author
Date published
October 25, 2012 Categories

Internet marketer Bogomil Shopov has been blogging his saga of allegedly buying the emails of more than 1 million Facebook users from a person representing themselves as a Facebook and Twitter app developer.

Shopov published a post on Oct. 23 titled, “I just bought more than 1 million Facebook data entries. OMG!” on his personal blog. He began, “I have the bloody habit to look for cheap deals on some websites and today I’ve got the featured offer to buy more than 1 million Facebook entries containing Full Name, e-mail and Facebook profile URL.”

The following screenshot was included as evidence:

Shopov claims to have purchased the data for $5 from a Facebook apps developer. The offer read in part:

The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe. There are users from other countries as well but they are almost exclusively English speaking as well, as all the apps we provide are written in English and to use them properly one needs to read the instructions.

The list is checked and validated once a month so you won’t get a list full of invalid or duplicate email addresses. Whether you are offering a Facebook, Twitter, social media related or otherwise a general product or service, this list has a great potential for you. Finally, the list is in a zipped excel format split into 12 sheets, each sheet containing roughly 100,000 email addresses with name, last name and facebook profile information separated with comma.

Search Engine Watch discovered the original offer, posted on a website called Gigbucks by a user called “Mertem.” Close to 20 people have commented on the offer, with responses ranging from, “More colors would be nice but it’s very complete : name, last name, facebook profile and of course email address!” to “I wasn’t sure this list was legit or random but I can see now it’s legit and it’s working fine.”

Mertem also claims to have a list of 310,000 Twitter users for sale, also for $5.

Next, Shopov says he received a request to meet with Facebook’s policy team. In paraphrasing his conversation with a Facebook Policy Team member, he claims he was told:

Now we would like you to send us this file, delete it, tell us if you have given a copy of it to someone, give us the website from which you bought it including all transactions with it and the payment system and remove a couple of things from your blog. Oh and by the way, you are not allowed to disclose any part of this conversation; it is a secret that we are even having this conversation”

Shopov notes that he asked Facebook what would be done about the problem in order for users to be able to protect themselves. “They emphasized that it would be an internal investigation and they would not share any information with third parties,” he said.

According to Shopov, he returned the data file to Facebook and was cautioned not to speak with anyone about his ability to buy personal user information from an app developer.

We asked Facebook for a statement regarding the validity of this alleged user data leak. A Facebook spokesperson told Search Engine Watch: “We have dedicated security engineers and teams that look into and take aggressive action on reports like those raised here. Since this is ongoing, we are not in a position to discuss the investigation at this time.”

It is important to note that it has not been confirmed that the person selling this information is an apps developer, though he claims this is how he collected the information. Another possibility is that he scraped the Facebook website for publicly available email addresses.

However, a cursory investigation of user accounts from the list shows that email addresses have been added to this list even when not published publicly on Facebook. The seller claims to have collected the information over a period of six months, meaning users might have changed their privacy settings between the time of collection and our verification.

We will keep you posted with any updates to this developing story.

Exit mobile version