I just bought more than 1 million …Facebook data entries. OMG! /updated/

I have the bloody habit to look for cheap deals on some websites and today I’ve got the featured offer to buy more than 1 million Facebook entries containing Full Name, e-mail and Facebook profile URL.
I make a quick check over the data and surprise, surprise: most of them are real and I even know some of those users.

1 million Facebook accounts? WTF?

The description of the offer says:

The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe. There are users from other countries as well but they are almost exclusively English speaking as well, as all the apps we provide are written in English and to use them properly one needs to read the instructions. The list is checked and validated once a month so you won’t get a list full of invalid or duplicate email addresses. Whether you are offering a Facebook, Twitter, social media related or otherwise a general product or service, this list has a great potential for you. Finally, the list is in a zipped excel format split into 12 sheets, each sheet containing roughly 100,000 email addresses with name, last name and facebook profile information separated with comma.


Do you still feel secure?

Oh yes, the deal price was 5$ – five u.s dollars.

Oh, this is not the end of the story. I ve’got a phone call from them.

(Update): No, Facebook, I don’t want my 5$ back, but I want something from (for) you.







83 responses to “I just bought more than 1 million …Facebook data entries. OMG! /updated/”

  1. murtw Avatar

    gigbucks rite? :)

  2. maht Avatar

    I really don’t care. If you have mine you have my profile URL – well done, it’s public, my Facebook name – well done, it’s false, and the email I use for Facebook – well done, it’s the only place it’s used and I never check it.

    This post has given you access to more personal info than my Facebook data.

    1. tedder Avatar

      You realize this is missing the point, right? It’s like saying “my credit card number was exposed, but the bank’s fraud department is replacing it”.

    2. tham Avatar


      You’re living in denial.

  3. Pablo Avatar

    Maybe you want to blur the edit line, too.

    1. Bogo Avatar

      I just did. Sorry for that!!!

  4. […] Hacker News http://talkweb.eu/openweb/1819 wandelroutes This entry was posted in Uncategorized by admin. Bookmark the […]

  5. David Avatar

    Ehm, you forgot to censor the email of the field selected. Poor dude.

  6. Jérôme Avatar


    we can still see the email of Jerome Swank in the formula input ;-)

    1. Bogo Avatar

      I just fix that!

  7. lifebarier Avatar

    Would be interested to see some sort of application to test if my data is in these files.

  8. Oi Empresa Avatar

    I bet you bought this on Gigbucks. Right?
    Anyway, being on Hacker News now, this story will spread like fire.

  9. Joseph Avatar

    Question is. What can you do with this ? Send massive email ? -> Spam. Sending one-to-one email -> Eternity.

    So yes it’s not technically secure, but what are people going to do with this.

  10. Tudor Munteanu Avatar

    How is this of any importance? You have an email adress and a name. This can be obtained by the most trivial Facebook apps. The only problem I see is in the case when Johnny X doesn’t what people to know that the email adress i_like_cupcakes@gmail.com is not his… all the rest of the infos are public.

  11. Lee Avatar

    This is why I never give me email to websites, or use facebook connect. I created leemail.me instead. Want an invite?

    1. aaa aaa Avatar
      aaa aaa

      leemail.me can man in the middle any account you make with it. That’s just so much better than what you normally do.

  12. rags Avatar

    @Joseph.. that is exactly one of the ways to use this.

    Marketing companies that do the equivalent of cold-calling – SPAM you.

    Getting the URL / email ID of one person is not a big deal .. but getting a nice juicy list of email IDs / URLs is dinner time for some ravagers..

    one more way to abuse this data – DoS

  13. Tomer Cohen Avatar

    You can aggregate to user profile ID from the URL as well as the user full name. I don’t understand why you think it is a good deal, and don’t forget that you have just made some evil people richer by 5$.

  14. Dan Avatar

    This is not news. Any public website can be scraped and the data sold. Its not like this is a list of passwords or anything.


  15. fernando Avatar

    This is all public information, why the surprise?

  16. Maxime Avatar

    We can still see the last line (Ann Walker).

  17. Der Paderp Avatar
    Der Paderp

    Hey, since I see you have the most discriminating tastes, I would like to offer you a special one-time deal. I have the FINEST, rare imported breathing air that you will ever lay your hands on. It is bottled in 100% recycled plastic, using only the purest air molecules available in the world. The cost is only $5.00 per bottle. Cheap, right?!! This was bottled with the same painstaking care it took to gather 1 million Facebook data entries, and it’s a STEAL at $5.00 a pop. Buy one hundred bottles, and I will throw in 50 more for free. That is a savings of $250.00!!!

  18. DDave Avatar

    Its not only the Spam.

    Its the more then the half of the two keys to successfully hack and steal an identity. Fake or not! These Data combined with other Data in the hands of evil guys (also women!) can do a lot of harm.

  19. Trenzo Avatar

    Wow I was a bit skeptical at first as this offer seems too good to be true. Usually the lists they sell on auction sites are poor quality but this one is real good. The information is accurate. Let me know if you find more of these lists.

  20. Bingo Avatar

    Why is this important in the age where spam is a billion-dollar business and lists of email addresses are so 1999?

    Because they can personalize a scam or attack.

    With the user’s Facebook Id, the scammer can send an email about a new service your friend [Friend’s real name + profile photo] wants you to join. How many people do you think would click a link in that email without a second thought?

    It takes away the robotic “Dear xxfalloutboy69xx@compuserve.com,” greetings and replaces it with your real name. It replaces general geographic locations with the exact place you live.

    It personalizes a scam, making it confusing to a typical end user and thus dangerous.

    Of course, this depends on the accuracy of the data a user has provided to Facebook, but I’m sure the amount of people who do supply correct information outweighs those who don’t.

  21. Hebert Avatar

    O yea… I am sorry, that is notthing. -_-”

  22. Orion Blastar Avatar
    Orion Blastar

    The problem is a spambot can add friends by email address in Facebook and other web sites. A spambot can also send spam links in email or Facebook instant message. A spambot can parse the URL to the Facebook internal email address to send it spam links. A cracker can run a dictionary crack on the accounts and the poor users using common words for passwords get cracked.

  23. Georgi Avatar

    Be Smart, Use Ubuntu!

    What can you do with such an info? Hell lot of a things (mostly bad ones). Great post Bogo!!

    1. Bogo Avatar


  24. Nadia Avatar

    Hello, seems usefull for the small firms to do some e mailing :), but I still don´t understand how did you do to buy all of this for 5 dollars?

  25. erebus Avatar

    The great news is that there is no news.
    Facebook has always been a place for people who don’t understand what computer security means.

  26. Iso Avatar

    Finally the truth showed up, that facebook sells accounts to government and others, This info has been sold already a 500 times or more, so its normal to be cheap…
    See the truth for US and Bulgaria here


  27. xstatic Avatar

    i’m seriously surprised that theyre only selling the name, email and facebook profile…..
    you can get a persons likes/account info/much much more detail from apps using the facebook API.

    its so simple these days with the amount of times people literally just press ok on everything!

  28. jad Avatar

    I thought “Sayfa[1-12]” was the name of that website. So I searched for it, and found http://www.sayfa.com.au/ and a Turkish app on Facebook :)

    Then I realised that sayfa means page in turkish (thanks google translate)
    :P haha
    but seriously, name that website!

  29. MHJ Avatar

    Spot-checked some of the profiles. Four out of five were realtors. That’s too much to be a coincidence? Either the profiles in the screenshot are ranked by profession, or that’s a lead for the leak.

  30. Travis Avatar

    What surprises me is that they gave out the username – referred to here as an email. This is just begging for a selenium script and some brute force.

  31. Joey Figaro Avatar

    Not exactly private information. Email? Name? Facebook profile?

    Who cares?

  32. thomas Avatar

    From the (now removed) screen capture, person entering this data into a spreadsheet was using Turkish installation of Excel (sheet names) so reasonable to assume s/he was Turkish.

  33. Michael Avatar

    You seem to have made a profit or a very good donation to a worthy cause.
    For that I commend you, but for personal gain I disapprove.

  34. Greg Avatar

    That is an amazing story. I will start following your blog. Where do you have to search for these kind of things, is it underground? How did they get all of the contacts?

  35. Mac Avatar

    The emails are possibly gathered using “Login using your facebook account” feature.

    Google also offers the feature and that’s risky too.

  36. John Doe Avatar
    John Doe

    Congrats. Blogger discovered WordPress!!!!!!!!!!!

  37. nico Avatar

    Bad job facebook! The social network needs more security and privacy.

  38. Mark Avatar

    You don’t need to be a hacker to harvest these data. Any not even very smart programmer can write a script that harvests profile links and looks for e-mail addresses on those profiles. Surely you’ll find 1 million e-mail address amongst roughly 1 billion FB accounts. There’s nothing illegal about it and there’s nothing FB can do against it, except for hiding all e-mail addresses on all profiles.

  39. Lucas Avatar

    Du solltest auch die Ursprungsdatei löschen. Das bringt sonst gar nichts.


  40. brucecat Avatar

    I know there are data mining companies selling our private details to corporations but not for $5 though.

    Well now there are a few sites covering your posts.



  41. Yana Avatar

    Здравствуйте, господин Шопов! Радиостанция Коммерсант ФМ (Москва) просит Вас прокомментировать по телефону ситуацию с данными Facebook. Пожалуйста, сообщите нам, как с Вами связаться.

    Radio Kommersant FM (Moscow) asks you for your contacts to record a comment about the situation with Facebook data. Thank you very much!

  42. Billy Nomates Avatar
    Billy Nomates

    Are they all dumbfucks?

  43. Robert Avatar

    People now are worried about their privacy!
    Good job for you anyway!

  44. […] total of five dollars. “I just bought more than 1 million… Facebook data entries,” Shopov wrote on his blog Tuesday. […]

  45. Tom Avatar

    Why this article was posted … I have to say good job. And point well taken. I suspect this is targeted all naive facebook users who think their info is “confidential” and that nothing will ever happen to their FB account. LOL.


    This stuff has been going on for years (scraping FB apps) but just never exposed to this extent. You did an awesome job Bogo. Pretty good Slap-In-The-Face to FaceBook. Keep up the good work.

  46. Alfian Effendy Avatar

    Oh my gosh, realy? That’s why I hate Facebook.
    btw, you’re not completely remove your data picture, here’s the link


  47. robert Avatar

    Stupid people ! they blurred the names but left the links! Who’s been that smart?

  48. Roni Avatar

    Our private details are out there, they worth money and we get non of it.
    Check out this cool animation about a software offering a cool solution.

    Don’t get mad, get even :)

  49. […] purchasing the list and being amazed at its legitimacy, the IT blogger posted an entry detailing the event along with screenshots and a surprising follow-up. Using his personal E-mail […]

  50. Francisco Mesa Avatar

    Well. I don’t think it’s hard to get and download all that information. The problem is, in my opinion, about the offer. Isn’t it?

  51. Blqblqblq Avatar

    LOL. And that story made all of the news all over the world? 1 milion useless info ?!? How about the one who hacked 3.6 SSN (including credit cards) from USA ? Now that is a story. This is bullshit.

  52. allak Avatar

    Personally i don’t give a crap if someone has my full name and email and facebook lol…so what. internet and facebook is not my life lol…who gives a shit.

  53. L Avatar

    Nevidím v tom až takový problém. V podstatě jen nejspíš vzali seznam e-mailů, a vyhledávali podle nich účty na FB. Vyzkoušej zadat e-mail do vyhledávání přímo na FB.
    Nejtěžší by na tom bylo vyrobit robota, který by se zvládl přihlásit, a zadával jeden email za druhým – ale to by neměl být problém s toolem typu Selenium.

  54. Vope Avatar

    That is not something new yo just gave it publicity. FB is scraped daily for user info and they need to educate their users more how to protect themselves.

  55. […] you can get 1 million Facebook data entries for just $5. Just so you know how much you are worth in the eyes of some people. This entry was posted in […]

  56. […] hecho ha sido descubierto por un informático búlgaro llamado Bogomil Shopov, que publicó en su blog personal que había adquirido los datos privados de un millón de usuarios de Facebook por tan solo 5 […]

  57. Parala Avatar

    A lot of FB users are, ‘Not The Sharpest Knifes In The Drawer?’ D’Oh! Posting on FB is like sending a postcard thru any mail service; any one can read it & anyone can add, change, remove, whatever they want!?!

  58. […] ottobre è la notizia che per soli 5 dollari sono stati acquistati da Bogomil Shopov, blogger di nazionalità bulgara noto per le sue attività a difesa dei diritti civili digitali, i […]

  59. locuri de munca Avatar

    We have a facebook account and we published the information willfully. I do not understand why is this such a problem because you may chose to hide the email as well as other personal information. From the URL with a scrapper you will get very little information. If you get their password (as happened several times a few years back) than I can see the problem. If there are any bugs in the FB that disclose information that it was not supposed to be disclosed, again I can see a problem. But scrapping content that users are willingly make public, why is this a problem? It’s pretty much useless the list and have very little to do with FB. (locuri de munca)

  60. gisallka Avatar

    whats that. Im not made of glass so everybody could see through me!!

  61. […] plupart des données sont vraies et je connais même certains de ces utilisateurs », a déclaré Bogomil Shopov, le blogueur militant pour la défense des internautes. Actualité nouvelles technologies […]

  62. cipla Avatar

    The other day, while I was at work, my cousin stole
    my apple ipad and tested to see if it can survive a 25 foot drop,
    just so she can be a youtube sensation. My iPad is now destroyed and she has
    83 views. I know this is entirely off topic but I had to share it
    with someone!

  63. flightsone.com Avatar

    An intriguing discussion is definitely worth comment.
    I believe that you should publish more on this
    issue, it might not be a taboo subject but usually folks don’t speak about these issues. To the next! Many thanks!!

  64. […] enthalten: Der richtige Name, ein Link zum Facebook-Profil und die dazugehörige E-Mail-Adresse. Der Schnäppchenjäger Bogomil Shopov hat von dieser Sache in seinem BLOG berichtet. Quelle: Spiegel […]

  65. Raze Avatar

    Hhahah I always love the outraged comments.

    I can always see them live:
    Some suited up people knock at their door and say more or less “hey how about we shove some millions down your pockets, all you have to do is let us do whatever we want with user data?”

    Yeah you know you see em very much saying “No I’m an honorable person and I prefer sucking it up a the increasingly marauderous labor market doing 6 day 12-13-14-15 hour job shifts. I mean I could never be persuaded to betray the people’s interests – particularly those fools who don’t care to know better or do anything about it.”

    Thats exactly how its going to work right?

    And fb is just the first site that has really elevated the formula.
    It provides all the gossip goodness for all the mass of social cripples that need it to feel relevant. And all you have to do is trade in your dignity at the agreement to use it. Its a seamless transaction.

    And lets face it, it’s not really an issue of privacy. It’s a bigger issue of they’ve been allowed to go this far without much objection, not any effective ones any way. Now that they have them and others will feel comfortable demanding even more marauder policies so we can use their shit.

  66. More Info Avatar

    Hello are using WordPress for your site platform?

    I’m new to the blog world but I’m trying to get started and
    set up my own. Do you require any coding expertise to make your own blog?
    Any help would be really appreciated!

  67. […] bulgaro, Bogomil Shopov, attivista per i diritti digitali, sia riuscito a raccogliere i dati di 1,1 milioni di utenti (e-mail ed ID) inviati al sito di marketing Gigbucks pagando una cifra irrisoria: cinque […]

  68. […] will be launching an internal investigation following the revelation by Czech blogger Bogomil Shopov that data belonging to over one million Facebook users was offered […]

  69. jehming Avatar

    can i buy this too? where did you buy?

Leave a Reply to Maxime Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.