In the biggest-ever security breach after Cambridge Analytica scandal, Facebook in October admitted that hackers broke into almost 50 million users' accounts by stealing their "access tokens" or digital keys. The private Facebook messages of at least 81,000 people have reportedly been stolen, probably due to an exploit in a browser extension, and compromised accounts are now apparently up for sale for just $0.10 (£0.08) apiece.
After performing some investigation, security firm Digital Shadows confirmed that about 81,000 profile had private messages.
Guy Rosen, Facebook's VP Product Management, said the company has contacted browser makers to ensure the infected extensions are no longer offered for download in their stores.More news: Galaxy X Leak Reveals Foldable Phone Specs
Sample message topics ranged from photos of a vacation and talk about a recent Depeche Mode concert to complaints about a son-in-law and intimate chat between two lovers.
"Data from a further 176,000 accounts was also made available, although some of the information - including email addresses and phone numbers - could have been scraped from members who had not hidden it", the report reads.
"Browsers like Chrome can be very secure, but browser extensions can introduce serious gaps in their armour".
Without naming the extensions, Facebook explains that these malicious extensions quietly monitored users' activity, and sent data back to the hackers, without the users' knowledge. On 26 July this year, the government announced in Parliament that it has ordered a CBI probe into Cambridge Analytica's (CA) misuse of Facebook data. This hack apparently has nothing to do with the most recent hack of Facebook data that was widely publicised in September. But Rick Holland, Digital Shadows' chief information security officer and Vice President of strategy, told Gizmodo that they still don't know what browser extension or extensions might be responsible.
And when asked whether the leaks were linked to the Russian state or to the Internet Research Agency - a group of hackers linked to the Kremlin - he replied: "No".