According to research conducted by the BBC, a seller going by the name "FBSaler" began posting on underground criminal forums about having access to the information of 120 million Facebook users as well as access to the private messages of 81,000 profiles. Further, it was found that email addresses and phone numbers could have been extracted from 176,000 more accounts. Just recently, it was reported that the social network was hacked compromising around 30 million accounts.
BBC also contacted some Russian Facebook users and confirmed that the private messages were theirs. However, with so many extensions available, malicious parties have many options: compromise existing software through insiders or poor developer security; release their own seemingly benign plug-ins that provide a useful function alongside snooping; or buy extensions from developers and then update them to include malware.
The victims seems to primarily stem from Russian Federation and Ukraine, however affected accounts come from all over the world including the UK, US, Brazil and beyond.
India tried its luck by asking the Central Bureau of Investigation (CBI) to look into the Cambridge Analytica breach, but we all know how that panned out.
Facebook has not named the extensions it believes were involved but says the leak was not its fault.More news: Diablo Immortal brings Blizzard's dungeon crawler to mobile
Facebook became aware of the website hawking information from user accounts and started investigating about a month ago.
One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.
"We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related", Rosen said.
A reply in English came from someone calling themself John Smith.
The BBC noted that it's unlikely Facebook would've missed such a huge breach.