Facebook blames malicious browser plugins for leak of 81,000 users' private messages and offer of account data for 120,000,000 users

A user called FBSaler is offering personal data for Facebook users at $0.10 each, claiming to have account data from 120,000,000 users to offer; to prove that they have the goods, they've dumped the private messages sent by 81,000 Facebook users; and account data from 176,000.

Facebook says the data wasn't breached from its servers: it blames malicious browser plugins for sucking this data directly out of users' computers.

An independent security firm, Digital Shadows, has verified that the leaked messages and account data are real, though it may be that the account data was scraped from public data posted by Facebook users, rather than breached (whether by hacking Facebook's servers or its users' browsers).

The sample data (which was been taken down) was hosted on a server that appeared to be located in St Petersburg, Russia. The accounts seemed to mostly belong to Russian and Ukrainian users, with a smattering of US, Brazilian, British and other users.

Personal shopping assistants, bookmarking applications and even mini-puzzle games are all on offer from various browsers such as Chrome, Opera and Firefox as third-party extensions.

The little icons sit alongside your URL address bar patiently waiting for you to click on them.

According to Facebook, it was one such extension that quietly monitored victims' activity on the platform and sent personal details and private conversations back to the hackers.

Facebook has not named the extensions it believes were involved but says the leak was not its fault.

Hack Brief: Someone Posted Private Facebook Messages From 81,000 Accounts [Louise Matsakis/Wired]

Private messages from 81,000 hacked Facebook accounts for sale [Andrei Zakharov/BBC Russia]