Cyber-criminals are selling over 267 million Facebook profiles for £500 ($623) on dark web sites and hacker forums. While none of these records include passwords, they do contain information that could allow attackers to perform spear phishing or SMS attacks to steal credentials.

The database mostly contained the profiles of US citizens, and 16.8 million records of the entire database have email addresses, birthdate, and gender. The whole database was on sale for a price tag of £500 ($623) in hacking forums of the dark web. Cyble, a cyber intelligence firm who purchased to verify the database, agreed the database is adequate for conducting phishing and spamming related attacks.

The sold data includes their Facebook profile links, full names, email addresses, phone numbers, age, date of birth, status as in whether the user is active on the site or not, gender, city, and addresses, etc.

Buy Me A Coffee
Screenshot of Facebook sample data Cyble provided to

The database being sold does not contain Facebook account passwords, but it does contain email addresses and phone numbers for some users. This could allow attackers to create spear-phishing campaigns that aim to steal your password using email campaigns or SMS texts that pretend to be from Facebook.

If the phishing emails contain information such as dates of birth and/or phone numbers, some users may be more prone to believe them and thus provide the attackers with the requested info.

New York Times Source Code Stolen Using Exposed GitHub Token

Cyble recommends users tighten their privacy settings on Facebook accounts and be cautious of unsolicited emails and text messages.