I just bought more than 1 million …Facebook data entries. OMG! /updated/

October 23, 2012
By Bogomil Shopov
Post Image

I have the bloody habit to look for cheap deals on some websites and today I’ve got the featured offer to buy more than 1 million Facebook entries containing Full Name, e-mail and Facebook profile URL.
I make a quick check over the data and surprise, surprise: most of them are real and I even know some of those users.

1 million Facebook accounts? WTF?

The description of the offer says:

The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe. There are users from other countries as well but they are almost exclusively English speaking as well, as all the apps we provide are written in English and to use them properly one needs to read the instructions. The list is checked and validated once a month so you won’t get a list full of invalid or duplicate email addresses. Whether you are offering a Facebook, Twitter, social media related or otherwise a general product or service, this list has a great potential for you. Finally, the list is in a zipped excel format split into 12 sheets, each sheet containing roughly 100,000 email addresses with name, last name and facebook profile information separated with comma.


Do you still feel secure?

Oh yes, the deal price was 5$ – five u.s dollars.

Oh, this is not the end of the story. I ve’got a phone call from them.

(Update): No, Facebook, I don’t want my 5$ back, but I want something from (for) you.


Bogomil Shopov

I care about privacy, ethical design, and freedom in many aspects. I spend 20+ years working as a web developer and architect, analyst, manager, and product owner/manager in different environments, several countries, and multiple software industries like Healthcare and Hospitality. I wore many hats, and I use the knowledge gathered to optimize the flow of value across complex systems.


  • murtw

    October 23, 2012 at 3:06 pm

    gigbucks rite? :)

  • maht

    October 23, 2012 at 3:15 pm

    I really don’t care. If you have mine you have my profile URL – well done, it’s public, my Facebook name – well done, it’s false, and the email I use for Facebook – well done, it’s the only place it’s used and I never check it.

    This post has given you access to more personal info than my Facebook data.

    • tedder

      October 26, 2012 at 3:09 am

      You realize this is missing the point, right? It’s like saying “my credit card number was exposed, but the bank’s fraud department is replacing it”.

    • tham

      October 27, 2012 at 7:53 pm


      You’re living in denial.

  • Pablo

    October 23, 2012 at 3:20 pm

    Maybe you want to blur the edit line, too.

    • Bogo

      October 23, 2012 at 4:03 pm

      I just did. Sorry for that!!!

  • David

    October 23, 2012 at 3:29 pm

    Ehm, you forgot to censor the email of the field selected. Poor dude.

  • Jérôme

    October 23, 2012 at 3:38 pm


    we can still see the email of Jerome Swank in the formula input ;-)

    • Bogo

      October 23, 2012 at 4:04 pm

      I just fix that!

  • lifebarier

    October 23, 2012 at 3:45 pm

    Would be interested to see some sort of application to test if my data is in these files.

  • Oi Empresa

    October 23, 2012 at 4:01 pm

    I bet you bought this on Gigbucks. Right?
    Anyway, being on Hacker News now, this story will spread like fire.

  • Joseph

    October 23, 2012 at 4:12 pm

    Question is. What can you do with this ? Send massive email ? -> Spam. Sending one-to-one email -> Eternity.

    So yes it’s not technically secure, but what are people going to do with this.

  • Tudor Munteanu

    October 23, 2012 at 4:15 pm

    How is this of any importance? You have an email adress and a name. This can be obtained by the most trivial Facebook apps. The only problem I see is in the case when Johnny X doesn’t what people to know that the email adress i_like_cupcakes@gmail.com is not his… all the rest of the infos are public.

  • Lee

    October 23, 2012 at 5:07 pm

    This is why I never give me email to websites, or use facebook connect. I created leemail.me instead. Want an invite?

    • aaa aaa

      October 23, 2012 at 6:33 pm

      leemail.me can man in the middle any account you make with it. That’s just so much better than what you normally do.

  • rags

    October 23, 2012 at 5:41 pm

    @Joseph.. that is exactly one of the ways to use this.

    Marketing companies that do the equivalent of cold-calling – SPAM you.

    Getting the URL / email ID of one person is not a big deal .. but getting a nice juicy list of email IDs / URLs is dinner time for some ravagers..

    one more way to abuse this data – DoS

  • Tomer Cohen

    October 23, 2012 at 6:05 pm

    You can aggregate to user profile ID from the URL as well as the user full name. I don’t understand why you think it is a good deal, and don’t forget that you have just made some evil people richer by 5$.

  • Dan

    October 23, 2012 at 6:47 pm

    This is not news. Any public website can be scraped and the data sold. Its not like this is a list of passwords or anything.


  • fernando

    October 23, 2012 at 7:43 pm

    This is all public information, why the surprise?

  • Maxime

    October 23, 2012 at 8:36 pm

    We can still see the last line (Ann Walker).

  • Der Paderp

    October 23, 2012 at 9:15 pm

    Hey, since I see you have the most discriminating tastes, I would like to offer you a special one-time deal. I have the FINEST, rare imported breathing air that you will ever lay your hands on. It is bottled in 100% recycled plastic, using only the purest air molecules available in the world. The cost is only $5.00 per bottle. Cheap, right?!! This was bottled with the same painstaking care it took to gather 1 million Facebook data entries, and it’s a STEAL at $5.00 a pop. Buy one hundred bottles, and I will throw in 50 more for free. That is a savings of $250.00!!!

  • DDave

    October 23, 2012 at 9:49 pm

    Its not only the Spam.

    Its the more then the half of the two keys to successfully hack and steal an identity. Fake or not! These Data combined with other Data in the hands of evil guys (also women!) can do a lot of harm.

  • Trenzo

    October 24, 2012 at 12:03 am

    Wow I was a bit skeptical at first as this offer seems too good to be true. Usually the lists they sell on auction sites are poor quality but this one is real good. The information is accurate. Let me know if you find more of these lists.

  • Bingo

    October 24, 2012 at 1:13 am

    Why is this important in the age where spam is a billion-dollar business and lists of email addresses are so 1999?

    Because they can personalize a scam or attack.

    With the user’s Facebook Id, the scammer can send an email about a new service your friend [Friend’s real name + profile photo] wants you to join. How many people do you think would click a link in that email without a second thought?

    It takes away the robotic “Dear xxfalloutboy69xx@compuserve.com,” greetings and replaces it with your real name. It replaces general geographic locations with the exact place you live.

    It personalizes a scam, making it confusing to a typical end user and thus dangerous.

    Of course, this depends on the accuracy of the data a user has provided to Facebook, but I’m sure the amount of people who do supply correct information outweighs those who don’t.

  • Hebert

    October 24, 2012 at 3:37 am

    O yea… I am sorry, that is notthing. -_-”

  • Orion Blastar

    October 24, 2012 at 5:28 am

    The problem is a spambot can add friends by email address in Facebook and other web sites. A spambot can also send spam links in email or Facebook instant message. A spambot can parse the URL to the Facebook internal email address to send it spam links. A cracker can run a dictionary crack on the accounts and the poor users using common words for passwords get cracked.

  • Georgi

    October 24, 2012 at 3:06 pm

    Be Smart, Use Ubuntu!

    What can you do with such an info? Hell lot of a things (mostly bad ones). Great post Bogo!!

    • Bogo

      October 24, 2012 at 4:04 pm


  • Nadia

    October 24, 2012 at 4:01 pm

    Hello, seems usefull for the small firms to do some e mailing :), but I still don´t understand how did you do to buy all of this for 5 dollars?

  • erebus

    October 24, 2012 at 7:17 pm

    The great news is that there is no news.
    Facebook has always been a place for people who don’t understand what computer security means.

  • Iso

    October 24, 2012 at 10:35 pm

    Finally the truth showed up, that facebook sells accounts to government and others, This info has been sold already a 500 times or more, so its normal to be cheap…
    See the truth for US and Bulgaria here


  • xstatic

    October 25, 2012 at 5:58 pm

    i’m seriously surprised that theyre only selling the name, email and facebook profile…..
    you can get a persons likes/account info/much much more detail from apps using the facebook API.

    its so simple these days with the amount of times people literally just press ok on everything!

  • Sy0

    October 25, 2012 at 6:03 pm

    You might want to remove the old files ;)


  • jad

    October 25, 2012 at 7:38 pm

    I thought “Sayfa[1-12]” was the name of that website. So I searched for it, and found http://www.sayfa.com.au/ and a Turkish app on Facebook :)

    Then I realised that sayfa means page in turkish (thanks google translate)
    :P haha
    but seriously, name that website!

  • MHJ

    October 25, 2012 at 8:34 pm

    Spot-checked some of the profiles. Four out of five were realtors. That’s too much to be a coincidence? Either the profiles in the screenshot are ranked by profession, or that’s a lead for the leak.

  • Travis

    October 25, 2012 at 8:47 pm

    What surprises me is that they gave out the username – referred to here as an email. This is just begging for a selenium script and some brute force.

  • Joey Figaro

    October 25, 2012 at 9:46 pm

    Not exactly private information. Email? Name? Facebook profile?

    Who cares?

  • thomas

    October 25, 2012 at 11:20 pm

    From the (now removed) screen capture, person entering this data into a spreadsheet was using Turkish installation of Excel (sheet names) so reasonable to assume s/he was Turkish.

  • Michael

    October 26, 2012 at 3:14 am

    You seem to have made a profit or a very good donation to a worthy cause.
    For that I commend you, but for personal gain I disapprove.

  • Greg

    October 26, 2012 at 5:49 am

    That is an amazing story. I will start following your blog. Where do you have to search for these kind of things, is it underground? How did they get all of the contacts?

  • Mac

    October 26, 2012 at 10:46 am

    The emails are possibly gathered using “Login using your facebook account” feature.

    Google also offers the feature and that’s risky too.

  • John Doe

    October 26, 2012 at 11:13 am

    Congrats. Blogger discovered WordPress!!!!!!!!!!!

  • nico

    October 26, 2012 at 11:13 am

    Bad job facebook! The social network needs more security and privacy.

  • Mark

    October 26, 2012 at 12:11 pm

    You don’t need to be a hacker to harvest these data. Any not even very smart programmer can write a script that harvests profile links and looks for e-mail addresses on those profiles. Surely you’ll find 1 million e-mail address amongst roughly 1 billion FB accounts. There’s nothing illegal about it and there’s nothing FB can do against it, except for hiding all e-mail addresses on all profiles.

  • Lucas

    October 26, 2012 at 1:11 pm

    Du solltest auch die Ursprungsdatei löschen. Das bringt sonst gar nichts.


  • brucecat

    October 26, 2012 at 1:58 pm

    I know there are data mining companies selling our private details to corporations but not for $5 though.

    Well now there are a few sites covering your posts.



  • Yana

    October 26, 2012 at 2:24 pm

    Здравствуйте, господин Шопов! Радиостанция Коммерсант ФМ (Москва) просит Вас прокомментировать по телефону ситуацию с данными Facebook. Пожалуйста, сообщите нам, как с Вами связаться.

    Radio Kommersant FM (Moscow) asks you for your contacts to record a comment about the situation with Facebook data. Thank you very much!

  • Billy Nomates

    October 26, 2012 at 4:05 pm

    Are they all dumbfucks?

  • Robert

    October 26, 2012 at 8:31 pm

    People now are worried about their privacy!
    Good job for you anyway!

  • Tom

    October 27, 2012 at 5:49 am

    Why this article was posted … I have to say good job. And point well taken. I suspect this is targeted all naive facebook users who think their info is “confidential” and that nothing will ever happen to their FB account. LOL.


    This stuff has been going on for years (scraping FB apps) but just never exposed to this extent. You did an awesome job Bogo. Pretty good Slap-In-The-Face to FaceBook. Keep up the good work.

  • Alfian Effendy

    October 27, 2012 at 9:25 am

    Oh my gosh, realy? That’s why I hate Facebook.
    btw, you’re not completely remove your data picture, here’s the link


  • robert

    October 27, 2012 at 6:11 pm

    Stupid people ! they blurred the names but left the links! Who’s been that smart?

  • Roni

    October 28, 2012 at 11:24 am

    Our private details are out there, they worth money and we get non of it.
    Check out this cool animation about a software offering a cool solution.

    Don’t get mad, get even :)

  • Francisco Mesa

    October 29, 2012 at 6:27 pm

    Well. I don’t think it’s hard to get and download all that information. The problem is, in my opinion, about the offer. Isn’t it?

  • Blqblqblq

    October 30, 2012 at 1:15 pm

    LOL. And that story made all of the news all over the world? 1 milion useless info ?!? How about the one who hacked 3.6 SSN (including credit cards) from USA ? Now that is a story. This is bullshit.

  • allak

    October 31, 2012 at 1:09 am

    Personally i don’t give a crap if someone has my full name and email and facebook lol…so what. internet and facebook is not my life lol…who gives a shit.

  • L

    November 1, 2012 at 4:22 am

    Nevidím v tom až takový problém. V podstatě jen nejspíš vzali seznam e-mailů, a vyhledávali podle nich účty na FB. Vyzkoušej zadat e-mail do vyhledávání přímo na FB.
    Nejtěžší by na tom bylo vyrobit robota, který by se zvládl přihlásit, a zadával jeden email za druhým – ale to by neměl být problém s toolem typu Selenium.

  • Vope

    November 6, 2012 at 9:45 pm

    That is not something new yo just gave it publicity. FB is scraped daily for user info and they need to educate their users more how to protect themselves.

  • Parala

    November 17, 2012 at 2:11 am

    A lot of FB users are, ‘Not The Sharpest Knifes In The Drawer?’ D’Oh! Posting on FB is like sending a postcard thru any mail service; any one can read it & anyone can add, change, remove, whatever they want!?!

  • locuri de munca

    November 26, 2012 at 10:59 am

    We have a facebook account and we published the information willfully. I do not understand why is this such a problem because you may chose to hide the email as well as other personal information. From the URL with a scrapper you will get very little information. If you get their password (as happened several times a few years back) than I can see the problem. If there are any bugs in the FB that disclose information that it was not supposed to be disclosed, again I can see a problem. But scrapping content that users are willingly make public, why is this a problem? It’s pretty much useless the list and have very little to do with FB. (locuri de munca)

  • gisallka

    November 27, 2012 at 4:53 am

    whats that. Im not made of glass so everybody could see through me!!

  • Pingback: Petit dev

  • cipla

    December 20, 2012 at 7:50 pm

    The other day, while I was at work, my cousin stole
    my apple ipad and tested to see if it can survive a 25 foot drop,
    just so she can be a youtube sensation. My iPad is now destroyed and she has
    83 views. I know this is entirely off topic but I had to share it
    with someone!

  • flightsone.com

    December 21, 2012 at 7:28 am

    An intriguing discussion is definitely worth comment.
    I believe that you should publish more on this
    issue, it might not be a taboo subject but usually folks don’t speak about these issues. To the next! Many thanks!!

  • Raze

    December 30, 2012 at 4:33 pm

    Hhahah I always love the outraged comments.

    I can always see them live:
    Some suited up people knock at their door and say more or less “hey how about we shove some millions down your pockets, all you have to do is let us do whatever we want with user data?”

    Yeah you know you see em very much saying “No I’m an honorable person and I prefer sucking it up a the increasingly marauderous labor market doing 6 day 12-13-14-15 hour job shifts. I mean I could never be persuaded to betray the people’s interests – particularly those fools who don’t care to know better or do anything about it.”

    Thats exactly how its going to work right?

    And fb is just the first site that has really elevated the formula.
    It provides all the gossip goodness for all the mass of social cripples that need it to feel relevant. And all you have to do is trade in your dignity at the agreement to use it. Its a seamless transaction.

    And lets face it, it’s not really an issue of privacy. It’s a bigger issue of they’ve been allowed to go this far without much objection, not any effective ones any way. Now that they have them and others will feel comfortable demanding even more marauder policies so we can use their shit.

  • קיידום ממומן

    January 25, 2013 at 5:23 pm


  • More Info

    January 28, 2013 at 1:48 am

    Hello are using WordPress for your site platform?

    I’m new to the blog world but I’m trying to get started and
    set up my own. Do you require any coding expertise to make your own blog?
    Any help would be really appreciated!

  • Pingback: xpda

  • jehming

    September 7, 2015 at 1:51 am

    can i buy this too? where did you buy?


Leave a reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.