Cybercriminals are attempting to sell 81,000 private Facebook messages and claim to have personal information obtained from millions of accounts.
The broadcaster believes most of the affected accounts are based in Russia and Ukraine, but users in the UK, Brazil and other countries have also had their data compromised.
Article continues belowThe Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
The hackers told the BBC that they have private details from more than 120 million accounts, but the news service believes “there are reasons to be sceptical about that figure”.
Data stolen by the hackers include holiday pictures, private messages between couples and a complaint about a son-in-law.
A number of Russian users whose data appeared during the investigation were contacted and confirmed to the BBC that the information was indeed theirs.
Facebook denies that a data breach has occurred and that its security systems are still intact, but said it would take steps to ensure no further accounts were accessed.
Speaking to the BBC, the company’s product chief Guy Rosen said it believes “malicious browser extensions” are behind the leaked information.
Extensions are designed to add features that “don’t exist” on standard web browsers, such as Google Chrome or Apple’s Safari, the Mirror reports.
But the newspaper says it “doesn’t take a huge leap of imagination” to see how these extensions could be used to “observe” users inputting passwords and email information.
Rosen said Facebook had “contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores”.
“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts,” he added.