Update of January 18: After four requests, this site finally received a response from Facebook. According to a spokesperson:
We were able to look into this and based on our review, there is no evidence
that these credentials were exposed as a result of a Facebook breach, and we
found that very few entries match active or legitimate accounts. We continue
to encourage people to use unique passwords and to use Security Checkup to
review and add more security to their accounts at:
facebook.com/securitycheckup.
Original Post:
This site received an email this morning from someone pointing me to a dump on JustPaste.it: “37000+ Facebook Accounts Hacked By AnonCoders.”
The dump was prefaced with a statement from the hacktivist group whose members currently include “Unknown Al,” “Black Worm,” “DarkShadow-TN,” and “Dr.T3rr0r.”
AnonCoders have been active since January, 2015, and many of their attacks have been supportive of Palestine and Muslims and threatening to Israel. In that respect, this paste was no different, ending with:
You Can Imprison Our PALESTINIAN Brothers/Sisters But You Cannot Imprison Our Hope.
We Will Fight Till The End And We Are Coming To Take Revenge.
Jerusalem Is The Capital Of Palestine And The Heart Of The Muslim World!
The Israeli Declaration of Independence: May 14, 1948 ~ The End Of Israeli CyberSpace: May 14, 2018
Because the statement concerned Israel and nothing in the preface mentioned either Russia or Facebook, DataBreaches.net asked the email correspondent why all of the dumped data had Russian email addresses (e.g., mail.ru, bk.ru, list.ru, inbox.ru).
The correspondent, who called him/herself “French Dostoyevski,” answered me:
Well, The Main Reason Is That Russian Government Supports Bashar al-Assad.
Bashar al-Assad’s Militias Keep Killing Sunni Muslims In Syria And Use Chemical Weapons Against Them. Without The Support Of Russia, Assad Would Have Done Less Damage.The Second Part Is A Threat Against Israel (I Wrote The Date In The End)
The Israeli Declaration of Independence: May 14, 1948 ~ (((The End Of
Israeli CyberSpace: “May 14, 2018” )))
I confess that I did not follow up to ask what that data dump had to do with Israel because I was already confused enough.
In any event, inspection of the data dump indicated that it had not been posted in clearnet before – at least not on any site indexed by Google. But inspection of the data dump also raised questions about authenticity of the data, as random searches of email addresses returned no results in the vast majority of cases, and many of the email addresses and passwords looked fake. Attempting to test one of the possible fakes, however, led to recovery directions for the email account, including a partial phone number, which translated to:
So that email account appeared to exist, but were these the logins to Facebook accounts? Testing a different pair of suspicious credentials on Facebook resulted in a notice from Facebook that they had detected suspicious activity in the Facebook account and temporarily blocked it for security reasons. Appearances notwithstanding, then, these may have been from actual Facebook accounts. DataBreaches.net did not pursue testing any credentials on Facebook once it appeared that the accounts might exist.
Further investigation revealed that the claimed hack was previously reported on Albeu.com on January 2. A translation of their report indicates that Facebook had locked the accounts for security reasons. Of course, that still wouldn’t prove that Facebook itself was hacked, as the logins might have been obtained because users re-use credentials across sites.
DataBreaches.net contacted Facebook with a sample of the data to ask them to confirm or deny AnonCoder’s claimed hack, but has received no response by publication time. This post will be updated when they do respond.