Select Page

Are you a frequent user of the biggest social media platform? Then you should find out if one of the Facebook accounts exposed was yours.

An ElasticSearch database leakage was discovered by vpnMentor researchers. 

It contained an archive with more than 100.000 accounts that were immediately used as part of a global hacking campaign.

Here’s what we know.


ElasticSearch Database Let +100k Facebook Accounts Exposed

The leaked 5.5 GB ElasticSearch database contained 13,521,774 records of credentials, IP addresses, names, emails, and even phone numbers.

How could something like this happen, in the first place?

Researchers found out that scammers tricked their victims on the social platform into giving their private login credentials with a tool that supposedly reveals who visits their profiles. 

Be aware that this function doesn’t exist, so this trick has worked for a long time.

The same stolen credentials were used to expand the scam even further: fraudsters shared spam comments of Facebook posts, where they disguised as their victim’s persona. The goal of such messages was to send more people into the scam.

In this case, the scam had a frontend face. vpnMentor researches found 29 domains connected to the scam network, where among these we can find:

  • askingviewer(.)com
  • capture-stalkers(.)com
  • follorviewer(.)com


vpnMentor researches continued by saying:

“These websites all eventually led to a fake Bitcoin trading platform used to scam people out of ‘deposits’ of at least €250 [$295].”


Although It’s unclear how visitors were driven to these websites, the team is aware that they showed pop-ups intended to boost social proof like the following: “There were 32 profile visitors on your page in the last 2 days! Continue to view your list.”

After proceeding, by clicking the “Open List!” button, the victims would be sent to a fake Facebook’s login page. It collected the data and pushed the user to another fake landing page, where it would be showing a “full list of snoopers.”

But instead, it redirected the victim (again) to a Facebook analytics app on Google.

So, the naive and curious victims exposed both their username and password in cleartext format, which made it easier to view, download, and use at any time.

Afterward, researchers raised their voice about two things:

The first one is to not trust Facebook’s fraud and bot detection tools entirely. This time, they bypassed it with fake news websites. If they used the fishy-kind of Bitcoin scams, then they could be blocked by the social platform.

Second, to change your login credentials if something similar happens to you at any time. Even if nothing has occurred so far, it’s recommendable to add two-factor authentication and extra security measures.

The latest is especially true if you reuse your Facebook login credentials on any other accounts. The easiest way to solve this issue is, using a password generator that produces a secure string and a password manager to not forget it soon.

Now, besides what was explained today, there’s just a little to talk about. So far, not even researchers know for sure who was behind this attack.

The only clues they present is that it could be related to the Meow cyberattack that started in July and went ongoing, until deleting 1,000 other unsecured databases permanently. As with other events, the database went offline and wasn’t accessible.

But there’s no 100% solid evidence of this or any other bad parties

According to Bob Diachenko, the name “meow” refers to its calling card after a Mailfire server was misconfigured and left open.