The notorious threat actor ‘IntelBroker’ has leaked a database allegedly stolen from Facebook, which contains 200,000 Facebook Marketplace user data entries.
Facebook Marketplace is an online platform provided by Facebook that allows users to buy, sell, and trade items with people in their local area or communities. It operates within the Facebook app and website, leveraging Facebook’s vast user network to facilitate transactions ranging from household items and clothing to vehicles and real estate.
RestorePrivacy has contacted Meta to inquire about the validity of the threat actor’s claims. Meta has confirmed to RestorePrivacy they are investigating the issue at this time, but cannot yet comment on the validity of the hacker’s claims.
The leak contains the following data points:
- Full names
- Email addresses
- Phone numbers
- Physical IDs
- Facebook IDs
- Facebook profile settings
This data can be used to attempt account compromise by combining it with data available from other leaks, performing targeted phishing attacks, scams, etc.
The threat actor, known for carrying out high-profile attacks against entities such as General Electric and U.S. government IT services contractor CACI, says that the particular database is the product of a breach of another cybercriminal named “algoatson,” who originally claimed the breach on Discord.
RestorePrivacy reviewed random entries on the leaked samples and found that they also contain sensitive and personally identifiable information, including:
- User IDs
- Device IDs
- Authentication tokens
- Device tokens used for push notifications
- Endpoint ARNs for AWS services
- Login timestamps that can reveal patterns of activity
The exposure of authentication tokens that may not have expired yet is particularly worrying, as threat actors can use those to take over accounts even if those are appropriately protected by strong passwords and multi-factor authentication.
By taking control of Facebook Marketplace accounts, threat actors could gain access to a vast pool of potential victims to conduct scams, phishing attacks, or distribute malware from seemingly trustworthy and otherwise reputable accounts.
Out of an abundance of caution, Facebook Marketplace users are recommended to take prompt action to revoke their authentication tokens by invalidating their active sessions (log out) to prevent their misuse. Additionally, it would be prudent to change passwords on the potentially impacted accounts, enable two-factor authentication, and review account activity for any signs of unauthorized access.