I have the bloody habit to look for cheap deals on some websites and today I’ve got the featured offer to buy more than 1 million Facebook entries containing Full Name, e-mail and Facebook profile URL.
I make a quick check over the data and surprise, surprise: most of them are real and I even know some of those users.

1 million Facebook accounts? WTF?

The description of the offer says:

The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe. There are users from other countries as well but they are almost exclusively English speaking as well, as all the apps we provide are written in English and to use them properly one needs to read the instructions. The list is checked and validated once a month so you won’t get a list full of invalid or duplicate email addresses. Whether you are offering a Facebook, Twitter, social media related or otherwise a general product or service, this list has a great potential for you. Finally, the list is in a zipped excel format split into 12 sheets, each sheet containing roughly 100,000 email addresses with name, last name and facebook profile information separated with comma.


Do you still feel secure?

Oh yes, the deal price was 5$ – five u.s dollars.

Oh, this is not the end of the story. I ve’got a phone call from them.

(Update): No, Facebook, I don’t want my 5$ back, but I want something from (for) you.


83 thoughts on “I just bought more than 1 million …Facebook data entries. OMG! /updated/

  1. Pingback: xpda
  2. Hello are using WordPress for your site platform?

    I’m new to the blog world but I’m trying to get started and
    set up my own. Do you require any coding expertise to make your own blog?
    Any help would be really appreciated!

  3. Hhahah I always love the outraged comments.

    I can always see them live:
    Some suited up people knock at their door and say more or less “hey how about we shove some millions down your pockets, all you have to do is let us do whatever we want with user data?”

    Yeah you know you see em very much saying “No I’m an honorable person and I prefer sucking it up a the increasingly marauderous labor market doing 6 day 12-13-14-15 hour job shifts. I mean I could never be persuaded to betray the people’s interests – particularly those fools who don’t care to know better or do anything about it.”

    Thats exactly how its going to work right?

    And fb is just the first site that has really elevated the formula.
    It provides all the gossip goodness for all the mass of social cripples that need it to feel relevant. And all you have to do is trade in your dignity at the agreement to use it. Its a seamless transaction.

    And lets face it, it’s not really an issue of privacy. It’s a bigger issue of they’ve been allowed to go this far without much objection, not any effective ones any way. Now that they have them and others will feel comfortable demanding even more marauder policies so we can use their shit.

  4. An intriguing discussion is definitely worth comment.
    I believe that you should publish more on this
    issue, it might not be a taboo subject but usually folks don’t speak about these issues. To the next! Many thanks!!

  5. The other day, while I was at work, my cousin stole
    my apple ipad and tested to see if it can survive a 25 foot drop,
    just so she can be a youtube sensation. My iPad is now destroyed and she has
    83 views. I know this is entirely off topic but I had to share it
    with someone!

  6. Pingback: Petit dev
  7. We have a facebook account and we published the information willfully. I do not understand why is this such a problem because you may chose to hide the email as well as other personal information. From the URL with a scrapper you will get very little information. If you get their password (as happened several times a few years back) than I can see the problem. If there are any bugs in the FB that disclose information that it was not supposed to be disclosed, again I can see a problem. But scrapping content that users are willingly make public, why is this a problem? It’s pretty much useless the list and have very little to do with FB. (locuri de munca)

  8. A lot of FB users are, ‘Not The Sharpest Knifes In The Drawer?’ D’Oh! Posting on FB is like sending a postcard thru any mail service; any one can read it & anyone can add, change, remove, whatever they want!?!

  9. That is not something new yo just gave it publicity. FB is scraped daily for user info and they need to educate their users more how to protect themselves.

  10. Nevidím v tom až takový problém. V podstatě jen nejspíš vzali seznam e-mailů, a vyhledávali podle nich účty na FB. Vyzkoušej zadat e-mail do vyhledávání přímo na FB.
    Nejtěžší by na tom bylo vyrobit robota, který by se zvládl přihlásit, a zadával jeden email za druhým – ale to by neměl být problém s toolem typu Selenium.

  11. Personally i don’t give a crap if someone has my full name and email and facebook lol…so what. internet and facebook is not my life lol…who gives a shit.

  12. LOL. And that story made all of the news all over the world? 1 milion useless info ?!? How about the one who hacked 3.6 SSN (including credit cards) from USA ? Now that is a story. This is bullshit.

  13. Why this article was posted … I have to say good job. And point well taken. I suspect this is targeted all naive facebook users who think their info is “confidential” and that nothing will ever happen to their FB account. LOL.


    This stuff has been going on for years (scraping FB apps) but just never exposed to this extent. You did an awesome job Bogo. Pretty good Slap-In-The-Face to FaceBook. Keep up the good work.

  14. Здравствуйте, господин Шопов! Радиостанция Коммерсант ФМ (Москва) просит Вас прокомментировать по телефону ситуацию с данными Facebook. Пожалуйста, сообщите нам, как с Вами связаться.

    Radio Kommersant FM (Moscow) asks you for your contacts to record a comment about the situation with Facebook data. Thank you very much!

  15. You don’t need to be a hacker to harvest these data. Any not even very smart programmer can write a script that harvests profile links and looks for e-mail addresses on those profiles. Surely you’ll find 1 million e-mail address amongst roughly 1 billion FB accounts. There’s nothing illegal about it and there’s nothing FB can do against it, except for hiding all e-mail addresses on all profiles.

  16. The emails are possibly gathered using “Login using your facebook account” feature.

    Google also offers the feature and that’s risky too.

  17. That is an amazing story. I will start following your blog. Where do you have to search for these kind of things, is it underground? How did they get all of the contacts?

  18. From the (now removed) screen capture, person entering this data into a spreadsheet was using Turkish installation of Excel (sheet names) so reasonable to assume s/he was Turkish.

  19. What surprises me is that they gave out the username – referred to here as an email. This is just begging for a selenium script and some brute force.

  20. Spot-checked some of the profiles. Four out of five were realtors. That’s too much to be a coincidence? Either the profiles in the screenshot are ranked by profession, or that’s a lead for the leak.

  21. I thought “Sayfa[1-12]” was the name of that website. So I searched for it, and found http://www.sayfa.com.au/ and a Turkish app on Facebook :)

    Then I realised that sayfa means page in turkish (thanks google translate)
    :P haha
    but seriously, name that website!

  22. i’m seriously surprised that theyre only selling the name, email and facebook profile…..
    you can get a persons likes/account info/much much more detail from apps using the facebook API.

    its so simple these days with the amount of times people literally just press ok on everything!

  23. The great news is that there is no news.
    Facebook has always been a place for people who don’t understand what computer security means.

  24. Hello, seems usefull for the small firms to do some e mailing :), but I still don´t understand how did you do to buy all of this for 5 dollars?

  25. The problem is a spambot can add friends by email address in Facebook and other web sites. A spambot can also send spam links in email or Facebook instant message. A spambot can parse the URL to the Facebook internal email address to send it spam links. A cracker can run a dictionary crack on the accounts and the poor users using common words for passwords get cracked.

  26. Why is this important in the age where spam is a billion-dollar business and lists of email addresses are so 1999?

    Because they can personalize a scam or attack.

    With the user’s Facebook Id, the scammer can send an email about a new service your friend [Friend’s real name + profile photo] wants you to join. How many people do you think would click a link in that email without a second thought?

    It takes away the robotic “Dear xxfalloutboy69xx@compuserve.com,” greetings and replaces it with your real name. It replaces general geographic locations with the exact place you live.

    It personalizes a scam, making it confusing to a typical end user and thus dangerous.

    Of course, this depends on the accuracy of the data a user has provided to Facebook, but I’m sure the amount of people who do supply correct information outweighs those who don’t.

  27. Wow I was a bit skeptical at first as this offer seems too good to be true. Usually the lists they sell on auction sites are poor quality but this one is real good. The information is accurate. Let me know if you find more of these lists.

  28. Its not only the Spam.

    Its the more then the half of the two keys to successfully hack and steal an identity. Fake or not! These Data combined with other Data in the hands of evil guys (also women!) can do a lot of harm.

  29. Hey, since I see you have the most discriminating tastes, I would like to offer you a special one-time deal. I have the FINEST, rare imported breathing air that you will ever lay your hands on. It is bottled in 100% recycled plastic, using only the purest air molecules available in the world. The cost is only $5.00 per bottle. Cheap, right?!! This was bottled with the same painstaking care it took to gather 1 million Facebook data entries, and it’s a STEAL at $5.00 a pop. Buy one hundred bottles, and I will throw in 50 more for free. That is a savings of $250.00!!!

  30. This is not news. Any public website can be scraped and the data sold. Its not like this is a list of passwords or anything.


  31. You can aggregate to user profile ID from the URL as well as the user full name. I don’t understand why you think it is a good deal, and don’t forget that you have just made some evil people richer by 5$.

  32. @Joseph.. that is exactly one of the ways to use this.

    Marketing companies that do the equivalent of cold-calling – SPAM you.

    Getting the URL / email ID of one person is not a big deal .. but getting a nice juicy list of email IDs / URLs is dinner time for some ravagers..

    one more way to abuse this data – DoS

    1. leemail.me can man in the middle any account you make with it. That’s just so much better than what you normally do.

  33. How is this of any importance? You have an email adress and a name. This can be obtained by the most trivial Facebook apps. The only problem I see is in the case when Johnny X doesn’t what people to know that the email adress i_like_cupcakes@gmail.com is not his… all the rest of the infos are public.

  34. Question is. What can you do with this ? Send massive email ? -> Spam. Sending one-to-one email -> Eternity.

    So yes it’s not technically secure, but what are people going to do with this.

  35. I really don’t care. If you have mine you have my profile URL – well done, it’s public, my Facebook name – well done, it’s false, and the email I use for Facebook – well done, it’s the only place it’s used and I never check it.

    This post has given you access to more personal info than my Facebook data.

    1. You realize this is missing the point, right? It’s like saying “my credit card number was exposed, but the bank’s fraud department is replacing it”.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.