A Russian hacker is believed to have stolen 1.5 million Facebook logins, meaning one out of every 300 accounts.  The hacker, who calls himself “kirllos” and currently lives in New Zealand, says he can sell you 1,000 Facebook logins for $25 or an account for as little as 25 cents each.  Pricing depends on how many friends the account holder has.  About 700,000 accounts have been sold so far on an underground website but it is unknown if they are legitimate accounts for real Facebook users.

According to Facebook’s Simon Axten, Facebook is investigating the specific accounts kirllos has put up for sale and will block access to those that have been hacked until they can be restored to their original users.  In one previous Facebook scam, criminals sent out messages from a compromised account telling friends that they were trapped in a foreign country and needed money.  Hackers also send out links to malicous software to friends of the account holder.

Someone can obtain a Facebook account for very cheap.  There are 400 million users worldwide and many fall victim to scams each day.  Only add friends that you know, make sure your privacy settings protect your personal information, and don’t click on suspicious links.

Fake emails that claim to be from Facebook are being sent to users that read “Facebook Password Reset Confirmation, Customer Support,” encouraging them to click on an attachment to view their updated password.  What happens when you click on the attachment to retrieve your new password? It downloads a “password stealer” that will steal not only your Facebook password, but any other stored passwords you may have including email and banking passwords.

Hackers are utilizing Facebook because it is the most popular social networking website with about 400 million users.  The Facebook security page on the company website warns users of the spoofed email going around and reminds you that Facebook will never send a new password in an attachment. They suggest social networking users warn their friends about the scam.  The attachment in the email infects computers without any clear signs of what is happening so the user has no idea.  This spam is believed to have been sent using botnets  Cutwail and Rustock, which have the ability to control groups of computers to send out spam like this.  Tizer™ Rootkit Razor was just updated to be able to detect the latest rootkits Rustock and 4DW4R3 that have these hacker capabilities.  Download it free here to scan your computer.

You can expect that out of 400 million Facebook users, a good 10% will click on the attachment and be infected by this malicious virus.  That would mean 40 million computers infected, giving hackers such a large amount of personal information.