Here’s another reason to go off of Facebook: hackers breached 120 million Facebook accounts in order to sell private messages.

On September 28, Facebook announced that up to 90 million users may have had their “access tokens” stolen by hackers. The tokens keep people logged into their accounts, and the number was later reduced to 30 million accounts that had been hacked. Users’ phone numbers and email addresses were accessed in what became the largest security breach in the company’s history.

Of the 30 million hacked, 14 million users had more than their phone and email information stolen. Fourteen million users had their following information stolen:

• username
• gender
• location/language
• relationship status
• religion
• hometown
• self-reported current city where they live
• birthday
• device types used to access Facebook
• education
• work
• the last 10 places they checked into or were tagged in
• website, people or Pages they follow
• the 15 most recent searches.

On November 2, the BBC reported that hackers also published private messages from at least 81,000 Facebook accounts. Perpetrators told the BBC Russian Service that they had stolen details from at least 120 million accounts, which they were attempting to sell.

Facebook said its security had not been compromised, Zero Hedge reported. Instead, Facebook claimed that the alleged stolen data might have been obtained “through malicious browser extensions.”

S0– Facebook denies it had been breached, but also said it took steps to prevent even more accounts from being hacked when it admitted to the September breach.

The BBC reported that many of the users were from the Ukraine and Russia; some were from the UK, US, Brazil and elsewhere.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.

“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”

A post from the user “FBSaler” first appeared online in September stating: “We sell personal information of Facebook users. Our database includes 120 million accounts.”

Cyber-security company Digital Shadows investigated the claim and confirmed that more than 81,000 of the profiles posted online as a sample included private messages. Data from an additional 176,000 accounts was also made available.

The BBC Russian Service then contacted five Russian Facebook users whose private messages had been uploaded who confirmed the posts were theirs. The hackers’ website appears to have been created in St. Petersburg and his/her IP address was the same as the one used to create the LokiBot Trojan, which allowed hackers to access users’ passwords, the BCC reported.

Zero Hedge remarks:

“The hack is still bad news for Facebook, which has had a terrible year for data security and questions will be asked about whether it is proactive enough in responding to situations like this that affect large numbers of people.

“If indeed 120 million user accounts were breached, and their information soon floods the world, it will be up to Zuckerberg to explain why he has so far failed to address this critical issue.”