April 23, 2010— -- Want a great deal on a Facebook account? A Russian hacker who calls himself "kirllos" claims he can sell you 1,000 unsuspecting users' login credentials for just $25, or $45 if the accounts have more than 10 friends each.
The hacker is believed to have stolen the IDs of 1.5 million Facebook users. If accurate, that means one out of every 300 Facebook users may have been victimized. Kirllos is selling the information on an underground hacker website, according to VeriSign's iDefense Labs. The cybersecurity company estimates that kirllos has sold around 700,000 accounts so far, but VeriSign was unable to verify if any of the accounts are legitimate accounts belonging to real Facebook users.
Kirllos' prices are incredibly cheap compared to other scams for sale. E-mail usernames and passwords usually fetch between $1 to $20 each, according to Symantec's latest Internet Security Threat Report. In contrast, Kirllos is claiming he will sell accounts for as little as 25 cents each.
According to Mashable, hacking Facebook "isn't a new hobby for this person." The site has a screenshot of another offer kirllos allegedly made last year when he claimed to be selling 100,000 compromised accounts.
Users whose Facebook ID's and passwords have been stolen could be vulnerable to identity theft or even "more insidious scams," Mashable says.
Facebook is investigating the specific accounts kirllos has put up for sale, and will block access to those that have been hacked until they can be restored to their original users, according to Facebook's Simon Axten.
"We invest heavily in helping people keep their accounts secure and have a team of security professionals who investigate specific attacks on our users and work with law enforcement to pursue those responsible," Axten said.
Users can find more details the process Facebook uses to spot hacked accounts and go to Facebook's security page to learn more about protecting themselves online. Here is more information on what to do if your account has been compromised and how to report a hacked account.