Cybercriminals stole Facebook passwords and lured their victims' friends to websites promoting a bitcoin scam. Then they exposed their whole operation on an unsecured database, researchers found.

A crime operation appears to have tricked hundreds of thousands of Facebook users into handing over their account passwords. The fraudsters then exposed their own operation by making a basic security mistake: They forgot to lock down a cloud database storing the pilfered login credentials with a password of their own.

That meant anyone with a web browser could view the information, which included further details on how they carried out the operation. The findings come from Israeli security researchers Noam Rotem and Ran Locar, who published their research Friday with security website vpnMentor.

Rotem and Locar reported their findings to Facebook, and the database is no longer exposed. Facebook forced a reset of the passwords for affected accounts.