1.5M Facebook accounts up for sale

Computerworld reports that 1.5 million facebook accounts are up for sale by a hacker going by the moniker Kirllos. To be clear, that's .3% of the estimated 400 million total registered Facebook accounts. VeriSign's iDefense group found the hacker selling the accounts in an underground black market forum, but it was the sheer number of accounts that set off alarms. 

The legitimacy of the accounts haven't been confirmed, but Kirllos seems to have sold 700,000 accounts already. While it isn't anything special to sell social-networking credentials online, targeting big sites like Facebook and MySpace is only a recent trend. Randy Abrams, director of technical education at security company Eset, believes that the viral capabilities of modern malware are well-suited to big sites like facebook, where "people will follow it because they believe it was a friend that told them to go to this link." Once the password-stealing malware goes viral, big sites like Facebook are prime breeding grounds for credential lifting. 

Kirllos is selling the accounts at a very deep discount compared to similar transactions. In Symantec's Internet Security Threat Report, email credentials sell at prices between $1 and $20, low quality bank information can go for $15 (high quality can go for $850), and Kirllos wants $0.025 per account. That's one reason why he's selling such a high volume. However, that doesn't mean it's a scam. With such a large volume of accounts, Kirllos can afford to undercut the competition and still come out rich.

Report a problem with article
Previous Story

How to: install Android on your iPhone, for the non-hacker

Next Story

Office for Mac 2011 screenshots, hands-on

38 Comments

Commenting is disabled on this article.

Tha Bloo Monkee said,
Can't you just use the "forgot my password" thing and reset it through your email?

People have who facebook accounts, probably have the same password as their e-mails, because thats what you use to login to facebook. So perhaps, they'll have access to most of their e-mails as well =o

Jagjit Singh said,
People have who facebook accounts, probably have the same password as their e-mails, because thats what you use to login to facebook. So perhaps, they'll have access to most of their e-mails as well =o

My Facebook account and the E-mail address associated with it use different passwords thank you very much.

This kind of thing happens everyday. As long as you dont post detailed info about your self and are secure, then you will be fine.

Today it is Facebook...tomorrow it may be Neowin. Who knows.

agreenbhm said,
Meh, it's only $37,000.

Only? That's still a good chunk of change for most people. That's more than a year's salary for many people.
So if you're this hacking scammer, you hijack some accounts, sell them, make $37k, you're good for the year. Good money for such little work I'd say.
Not justyfing this guy, just saying...

Sardar Mohkim Khan said,
So if one hacker has 1.5 million accounts - what about others? and again how many of those 500 Million users on Facebook 'real'?

Not sure, but weekly I get really hot chicks I dont know ad me as friends. They are fake as the first clue was hot chicks wanting to be my friend...haha

People really need to be on higher alert with these scams. And Facebook should work harder to prevent such things from ever ocurring. Just comes to show that not just Facebook can be unsafe but the entire internet.

Everyone needs to be educated. Otherwise they are as vulnerable as watching online porn without an antivirus.

I basically blame AOL and others like them for introducing the uneducated to the internet. Before they came along, most people on the internet knew what the **** they were doing.

roadwarrior said,
I basically blame AOL and others like them for introducing the uneducated to the internet. Before they came along, most people on the internet knew what the **** they were doing.

So you blame AOL and others like them for introducing people to what currently is by far the most useful thing in our lifes and the only hope for a better future? The Internet can spread knowledge as fast as malware. It brought free speech and free education for almost everybody

Plus free porn! xD

Critical Error said,
Maybe they use a really weak password. My password is 512 character long, so I hope Im not for sale.

How the hell can you have a 512 character password??!! The max I've seen is a 20 character limit, and that too on a security site. This is just a social networking site!

The Guardian said,

How the hell can you have a 512 character password??!! The max I've seen is a 20 character limit, and that too on a security site. This is just a social networking site!

Try to set a really long password on Facebook. It works. I was suprised too.

A just punishment for this ******* would be to have the names of all 1.5 million people tattooed on his body, in one continuous session.

roadwarrior said,
A just punishment for this ******* would be to have the names of all 1.5 million people tattooed on his body, in one continuous session.

lol I would pay $0.025 to see that!

SMELTN said,
How do you know if your account is on the list or not is my question.

if you cannot login to your account anymore ,,, that means your hacked

Are these legitimate accounts that have been hacked, or accounts that he created. I'm assuming they are hacked accounts, but please correct me if I'm wrong.

Zer0_II said,
Are these legitimate accounts that have been hacked, or accounts that he created. I'm assuming they are hacked accounts, but please correct me if I'm wrong.

hacked accounts.

Zer0_II said,
Are these legitimate accounts that have been hacked, or accounts that he created. I'm assuming they are hacked accounts, but please correct me if I'm wrong.

Can you imagine how long it would take for someone to create 1.5 Million accounts?

chisss said,
Can you imagine how long it would take for someone to create 1.5 Million accounts?

Not long with automated scripts... it's pretty simple actually.

vaximily said,

Not long with automated scripts... it's pretty simple actually.


yes but I beliebe FB has ways to avoid scripting. Also you will need to create 1.5M different email addresses

chisss said,

spammers

And how exactly can facebook be a spamming platform? The worse these hacked accounts can do is spam messages to friends, who could easily just block them upon noticing that thier friends account has been hacked.

I don't see any real reason to buy 1.5M hacked accounts, unless you want to resell them individually to stalkers and trolls, but that would be a very complicated and tedious endeavour.

I'd say this is just another case of internet dick-waving.

RPDL said,

And how exactly can facebook be a spamming platform? The worse these hacked accounts can do is spam messages to friends, who could easily just block them upon noticing that thier friends account has been hacked.
.

you'll be surprised the amount of people that are click happy... same as an email... same concept, same results...

RPDL said,
And how exactly can facebook be a spamming platform? The worse these hacked accounts can do is spam messages to friends, who could easily just block them upon noticing that their friends account has been hacked.

A lot of people don't realize when their friend's account is hacked. For instance, I know someone that ended up clicking on a virally spread video that ended up injecting a virus into their system, and while they were logged in it would post a similar video (but always with a different title and thumbnail, which I noticed as I was cleaning up his account/computer). I'm not entirely sure how many times this person had to click "Yes" for it to land on their system (if at all considering the numerous Flash vulnerabilities), but we all know that most users are not averse to clicking "Yes" blindly.


So, as an uneducated user, I may be hesitant to click on the random friend request and/or message links. However, as an uneducated user, I probably would click on the video that my best friend sent me.

Edited by pickypg, Apr 23 2010, 7:10pm : Neowin spacing seems broken.

chisss said,

you'll be surprised the amount of people that are click happy... same as an email... same concept, same results...


Probably better results even. Since people will think the link came from a friend and the thought of a hacked facebook account won't immediately cross their mind.

RPDL said,

And how exactly can facebook be a spamming platform? The worse these hacked accounts can do is spam messages to friends, who could easily just block them upon noticing that thier friends account has been hacked.

I don't see any real reason to buy 1.5M hacked accounts, unless you want to resell them individually to stalkers and trolls, but that would be a very complicated and tedious endeavour.

I'd say this is just another case of internet dick-waving.

I think you are forgetting about the biggest threat, the password. Non tech users have the same password for every bloody online service. So guess what, you get the facebook password, you get the e-mail password. Beyond that, the sky is the limit.

PS: Do we really need malware to get facebook accounts? I mean, we're in 2010 and those guys aren't even using https.... jeez