Someone leaked the phone numbers and personal information for over half a billion Facebook users online. Alon Gal, CTO at cybercrime intelligence firm Hudson Rock, tweeted out that someone had dumped hundreds of millions of Facebook records onto a hacking forum:
Gal took a look and found that the data dump included the phone numbers, Facebook IDs, birthdates, bios, full names and locations for 533 million Facebook users based in 106 countries. It also included the email addresses for a portion of the affected users.
Business Insider verified several of the leaked records by matching known Facebook users’ phone numbers with the IDs included in the data dump. The media outlet took the additional step of verifying some of the victims’ email addresses and phone numbers using the social media platform’s password-reset feature.
The affected user information was freely available at the time of discovery, as Gal said in his tweet. Malicious actors could have then used that data to try to gain access to their victims’ accounts. They could have also targeted their phone numbers and email addresses with social engineering attacks in an attempt to steal even more information.
“When 25% of any company's users are potentially exposed to computer fraud and identity theft, there is reason for concern for those individuals’ privacy,” said Sam Curry, CSO at Cybereason.
“But when it becomes half a billion people in more than 100 countries and the company is Facebook, the largest social media platform in the world, users have every right to be concerned.”
A spokesperson for Facebook informed Business Insider that someone had obtained the data after exploiting a vulnerability patched by the social media company in 2019.
The vulnerability amounted to a server that contained 419 million Facebook user records but that lacked password protection. This could have allowed anyone to have accessed the exposed data, which was then accessible across several databases.
Facebook spokesperson Jay Nancarrow told TechCrunch at the time that whoever was responsible for scraping the information had “obtained [the data] before [Facebook] made changes last year to remove people’s ability to find others using their phone numbers.”
He also added that the social media giant had taken down the data set and that it didn’t appear as though anyone had misused any of the affected users’ account information. But that didn’t stop malicious actors who had already downloaded the data from attempting to monetize it.
Curry agreed: “This new breach involves old data from a 2019 incident that Facebook reportedly resolved,” he said. “Even so, it would be foolish to believe that previously exposed data would disappear from dark web forums, where it has been for sale for 2+ years.”
Those two incidents aren’t the only times where Facebook users have had their information exposed. At the end of 2019, for example, Comparitech came across a similarly unprotected database containing 267 million Facebook records. The discovery of a second database in the months that followed brought the total number of exposed records to 309 million.
We also all remember what happened in the Cambridge Analytica data scraping scandal that made news the previous year. Facebook should therefore use this history to craft a response, as Curry explained.
“This isn't the time for Facebook to play the victim, and they really only have two options, hero or villain,” he pointed out. “This is a time for Facebook to face its challenges head-on, update users on their privacy policies and continue doing everything possible to protect their data.”
Curry feels that the impact of this incident goes beyond Facebook, however. “This is just another day and another breach, and once again, 'privacy' is the victim,” he said. “Whether it is one billion or one trillion users, this is another blow to our collective privacy.”
Consumers don’t have many options available to them other than taking the security of their private data into their own hands. This can involve regularly checking their credit files for abuse as well as reviewing their payment card statements for suspicious activity.
That’s why the security community ultimately needs to be the one to take action. “As an industry, until we can start making cybercrime unprofitable for adversaries, they will continue to hold the cards that will yield potentially massive payouts,” Curry noted.
In particular, vendors and customers alike need to recognize that digital threats are ever evolving and that relying on Indicators of Compromise (IoCs) is no longer enough. Companies need visibility into Indicators of Behavior (IoBs) so that they can visualize the entire attack chain and quickly respond to a security incident.
Learn how Cybereason is helping to lead the charge in this new age of security.
David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.
All Posts by David Bisson
The Anom was the holy grail of dark, illegal communication: a mobile phone that could send encrypted messages that even included a secret Kill-Switch to foil attempts by law enforcement agents to get to its contents. Thousands of criminals used the Anom, certain that they were completely safe from the police - they were wrong - check it out...
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
