Cybercriminals have been advertising stolen information like addresses, credit card numbers, dates of birth and social security numbers on Facebook, Motherboard reports today, and they've been doing it unchecked for years. Security researcher Justin Shafer tipped Motherboard off to the information, much of which could be easily found through simple Google searches. A lot of the private information posted on Facebook appeared to be used in advertisements shared by those looking to sell the data and Motherboard was able to confirm that at least some of the stolen info was accurate.
Motherboard flagged some of the posts and alerted Facebook to the issue. A few of the posts were removed today. "We work hard to keep your account secure and safeguard your personal information," a Facebook spokesperson told Motherboard. "Posts containing information like social security numbers or credit card information are not allowed on Facebook, and we remove this material when we become aware of it. We are constantly working to improve these efforts, and we encourage our community to report anything they see that they don't think should be in Facebook, so we can take swift action."
"On their end it's pure laziness to wait for an abuse report to stop posts that are following a doxing template," digital security trainer Matt Mitchell told Motherboard. And Facebook's reliance on user flagging to spot inappropriate content came up frequently during Mark Zuckerberg's Congressional hearings earlier this month.
Further, this isn't the first time Facebook has been caught allowing illicit sales on its platform. In 2016, it apologized for a "technical issue" that allowed users to sell illegal items like drugs, guns and baby hedgehogs on Marketplace. And while Facebook changed its community guidelines in 2016, banning person-to-person gun sales, enforcing those rules turned out to be a challenge for the company.