The hacker’s name is Kirllos and has a pricing scheme for the accounts.  When an account has less than 10 friends, the price is $25 for 1000 accounts (or 2.5 cents per user).  When an account has over 10 contacts, he’s asking for $45 for 1000 accounts (or 4.5 cents per user).  The director of intelligence at iDefense, Rik Howard, had this to say: ”There are two things that make this discovery interesting: the volume of social network account credentials discovered, and the fact that we are seeing an eastern European hacker dip into western social networks.  In the past, most hackers have been content to stay with their own local social networking services.”

The likely goal, says iDefense, is to use the data to set up fraudulent accounts and identities which can be used to create bank accounts, make money transfers and also steal other people’s identities and use that to their advantage.  The fact that employees use their Facebook at work also means that there is the potential for illegitimate users to access some of that corporate information, although the technology behind that isn’t yet clear.  We’ll see how this progresses, and whether this is the real deal, but if so, and at prices like that, we can expect more Facebook hackers to appear in the coming years.

The problem is, that email notification address is accessible by anyone.  Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).

The problem is, that email notification address is accessible by anyone.  Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).