Hackers claim to have compromised 120 million Facebook accounts, although cybersecurity firm Digital Shadows suggests the figure is closer to 81,000, the BBC first reported on Friday.
In a new twist, the hackers are selling the private messages of hacked users for 10 cents each.
Facebook has declined to discuss the validity of those claims. Instead, it is focusing on fixing the source of the breach.
“Based on our investigation so far, we believe this information was obtained through malicious browser extensions installed off of Facebook,” stated Guy Rosen, vice president, product management.
“We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related,” said Rosen.
Facebook is also directing browser makers to a page dedicated to the removal of add-ons and extensions. So far, the names of the offending browser extensions have not been disclosed.
Hacks have been a defining issue for Facebook this year.
Most recently, the tech titan said hackers had exploited a vulnerability in its code that impacted “View As” -- a feature that lets users see what their own profile looks like to someone else. That breach was believed to have impacted roughly 50 million accounts.
Facebook has an enormous responsibility to protect users’ information, due to its immense size, analysts say.
“The fact that a breach at one company can impact tens of millions of users is troubling,” Jeff Pollard, vice president-principal analyst, Forrester, said recently.
“Attackers go where the data is, and that has made Facebook an obvious target. Facebook needs to make limiting access to data a priority for users, APIs, and features,” he added.