Cybercriminals have posted sensitive personal information, such as credit card and social security numbers, of dozens of people on Facebook and have advertised entire databases of private information on the social platform. Some of these posts have been left up on Facebook for years, and the internet giant only acted on these posts after we told it about them.
As of Monday, there were several public posts on Facebook that advertised dozens of people’s Social Security Numbers and other personal data. These weren’t very hard to find. It was as easy as a simple Google search.
A screenshot of the redacted Google search results for social security numbers on Facebook.
Most of the posts appeared to be ads made by criminals who were trying to sell personal information. Some of the ads are several years old, and were posted as “public” on Facebook, meaning anyone can see them, not just the author’s friends.
Independent security researcher Justin Shafer alerted Motherboard to these posts Monday.
“I am surprised how old some of the posts are and that it seems Facebook doesn’t have a system in place for removing these posts on their own,” Shafer told Motherboard in an online chat. “Posts that would have words flagged automatically by their system.”
On Monday, Motherboard reached out to Facebook asking for comment, and we included a sample Google search to illustrate the problem. A Facebook spokesperson answered saying they’d look into it. As of this writing, we haven’t received a comment, but some of the posts that appeared in the Google search sample we flagged have been removed.
Matt Mitchell, a digital security trainer, said that it should be “easy” for Facebook to stop and prevent these posts.
“On their end it's pure laziness to wait for an abuse report to stop post that are following a doxing template,” Mitchell told Motherboard in an online chat.
A screenshot of a post containing stolen personal data. This post was live as of the writing of this post
At least some of the data in these posts appears real. Motherboard was able to confirm the first four digits of the social security numbers, names, addresses, and dates of birth for four people whose data appears in a post from July 2014. At least three social security numbers, names, addresses, and dates of birth that appear in a different post from February 2015 also appear to be real, based on records searches. Motherboard called six of these victims but was unable to reach any of them. In some cases, we reached voicemail inboxes and the recorded greetings corresponded to the names contained in the Facebook posts..
Facebook has been sluggish at policing these kinds of posts. Last week, security journalists Brian Krebs found more than 100 Facebook groups—some with thousands of members—whose members exchanged hacked or stolen data. Facebook deleted the groups after Krebs alerted the company.
After publication, a Facebook spokesperson sent the following statement.
“We work hard to keep your account secure and safeguard your personal information. Posts containing information like Social Security numbers or credit card information are not allowed on Facebook, and we remove this material when we become aware of it. We are constantly working to improve these efforts, and we encourage our community to report anything they see that they don’t think should be in Facebook, so we can take swift action.”
Joseph Cox contributed reporting.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.