In a worrying development for Facebook users concerned about security, iDefense Labs has found a hacker offering 1.5 million Facebook user accounts for sale on an underground hacker forum.
The accounts are being offered by a user called Kirllos who was operating using the Russian language, VeriSign unit iDefense said in a statement on Thursday. iDefense was unable to verify whether the accounts are legitimate.
The accounts are priced at $25 (£16) per 1,000 accounts with 10 contacts or less, or $45 for 1,000 accounts with more than 10 contacts. iDefense estimated that Kirllos has so far sold around 700,000 accounts.
The incident underscores the growing security concern around Facebook, which has more than 400 million members worldwide. This particular case shows that cybercriminals are beginning to look beyond their own geographies to international platforms such as Facebook, iDefense said.
Facebook was unable to immediately confirm iDefense's report or whether the accounts in question were legitimate. However, a spokeswoman for the company told ZDNet UK that the site has security procedures in place for users who believe their accounts have been hacked.
People can report a hacked account via a Facebook web page. If they still have access to their account, they should reset their password using the "Forgot your password?" link, the company advised.
Facebook has acknowledged that hijacked accounts have been used for various attacks, including money transfer scams.
"The money transfer scam is characterised by cybercriminals using Facebook in an attempt to trick your friends into sending them money," the company said in a security document on its website. "Most frequently, these criminals will gain control of a Facebook account, and use the Chat or Status features to claim that you are stuck in a far away location and in need of financial assistance."
The company has provided a form where users who believe their accounts have been affected by the money transfer scam can enter their account information for further investigation.
In January, a security researcher warned that Facebook is susceptible to certain types of attacks that could allow someone to hijack an account while a user is interacting with another website. Reseacher Nitesh Dhanjani also said a design flaw in Facebook is granting third-party apps permission to access user profile data without express approval from users.
Facebook has said it has systems in place for detecting and blocking access to links that are being used to launch such attacks on Facebook accounts.