Facebook Hacking: 'Tens of Thousands' of Account Passwords Stolen—How to Check If You Are Affected

Hackers infected the PCs of more than 40,000 Facebook users with password-stealing malware in the space of four days last week—and a team of cybersecurity experts warn that U.S. retail giant Amazon could be the next target.

The culprits—whose identities remain unknown—used phishing tactics to direct victims to a little-known application booby-trapped with the Trojan, which has since been dubbed "Stresspaint" by researchers from Radware's Malware Research Group, an enterprise security team headquartered in Israel.

The wave of infections was recorded between April 12 and April 16, ultimately giving the group access to tens of thousands of Facebook user credentials from Chrome users. "This rapid distribution and high infection rate indicates this malware was developed professionally," Radware concluded in its Wednesday analysis.

The campaign appeared to be orchestrated via spam email or links sent over Facebook itself. While the exact avenue to infection remains murky, experts said what happens if a victim clicks on the app's download link is much clearer.

The app itself works as advertised, but in the background files are dropped that can hunt for data saved in Chrome browser. They are designed to seek out Facebook cookies, which are strings of text used to store login information.

"Information is stolen when the malware is run for the first time, if the user runs the application again, and every restart of the computer," the firm wrote.

"It is done by copying the content of Chrome browser cookies and login data files to a new location and querying the data from there. Once saved login credentials or Facebook cookies are found, they are sent encrypted to the C2."

C2, another term for "command and control server," is essentially the hackers' base of operations. Experts said that while the motive remains unclear it could involve selling the data, ransom demands, espionage or online identity theft. After Radware gained access to the malware's control panel it found a section labeled Amazon, which led it to suggest the shopping website could be the crooks' next target.

Facebook confirmed that it is investigating the malware outbreak. Luckily, Radware said it was able to uncover records of all the stolen account credentials. There is no suggestion that the security of Facebook itself was compromised in any way.

Are you infected?

Pete Voss, communications manager of Facebook's security division, said the platform is "taking steps to help protect and notify those who are impacted."

Anyone who had their credentials hijacked will be notified, he said.

"We encourage people to check the mails they receive for trusted domains," Voss noted in a statement, adding: "Facebookmail.com is a common domain that Facebook uses to send notifications when we detect an attempt to log in to your account or change a password. If you're unsure if an email you received was from Facebook, you can check its legitimacy by visiting facebook.com/settings to view a list of security-related emails that have been recently sent.

"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan."

Facebook users should always be wary of suspicious links, Radware stressed. "Radware recommends individuals and organizations to update their current password and only download applications from trusted sources," the team said.

"As this malware rapidly expands, the group will certainly continue to try to find new ways to utilize the stolen assets," it warned. "Such groups continuously create new malware and mutations to bypass security controls."

The news emerged in the wake of the Cambridge Analytica data scandal, which involved the alleged misuse of an estimated 87 million Facebook accounts.

The social network's founder, Mark Zuckerberg, recently acknowledged that all users on the platform—over 2 billion—were, until recently, at risk of having their public information scraped. The website recently updated its data policies.