21 May 2010
Suppose you found out that a Russian hacker was selling access to hacked Facebook accounts for a mere $0.025 – $0.045 each, and that the hacker had 1,500,000 accounts to hawk. Should you be worried?
Risk vs. Effort
Facebook’s assessment of Killros is that he is a low-level player and that he had nowhere near the 1.5 million accounts he advertised. Most likely, he had a few hundred accounts most of which he likely created himself. Through some interesting and impressive forensic work, the Facebook security team identified the real Facebook accounts owned by Kirllos, reset the passwords, and notified the account owners.
But for fun, let’s take the hacker’s advertising at face value. How big of a risk is it to you, the average Facebook account holder? Well, to start with, there are over 400 million Facebook accounts, so the chances that yours is among the 1.5 million currently on sale are less than half of one percent.
I’ve written before that the prices criminals are willing to pay to get your account details are good magnitude of risk indicators. In this case, if the value of each Facebook account is less than 5 cents, criminal buyers must not be expecting much more than the value of their time as a return on hacking into accounts.
You should be much more concerned about your bank account login details getting stolen, as that information apparently sells for about 1% of the account balance. In other words, buyers of this information expect a reasonable payoff in exchange for their investment and the risks they are taking.
So my take on the Facebook news is that it was initially alarming, but probably nothing to get worked up about. Of course, there’s no harm in updating and/or upgrading your Facebook password if you haven’t done so in a while.
Read more about passwords