Social media platforms and user data leaks are no strangers to each other. Hackers often exploit a vulnerability to scrape data, and sometimes, sheer abuse happens by seemingly legit clients. Remember the Facebook-Cambridge Analytica scandal? Well, Facebook is again at the center of another huge data leak that has seen the personal information of over half a billion users making its way online. As per a report by BusinessInsider, the data of over 533 million users – which includes details such as phone number, email address, job info, and date of birth to name a few – was put up for sale online. And later, it was shared freely on the web.
Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
BusinessInsider claims to have verified the leak by matching certain Facebook user phone numbers with the identification number in the leaked data set, and also verified the email addresses using the password reset feature. Liz Bourgeois, who is Director of Strategic Response Communications at Facebook, tweeted the leaked data originated from a vulnerability that was fixed back in 2019.
Though the leaked data might be two years old, even if 1% of affected users still have that phone number and email address linked to their Facebook profile, the number of users whose personal data was leaked stands at over 5 million. And I am being a little too optimistic here, since a majority of social media users aren’t too cautious when it comes to the security of their personal data and don’t even use critically important tools such as two-factor authentication.
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.
— Liz Bourgeois (@Liz_Shepherd) April 3, 2021
Coming back to the Facebook leak, the data – despite being two years old – can still be exploited for a variety of attacks, ranging from hacking and phishing to spamming. And the worst part is that the entire dataset was posted online on hacking forums for free, which means if you knew your way around data, you have a treasure trove of information about half a billion Facebook users.
Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, discovered the leaked data of Facebook users being sold, and later shared publicly. “Users having their personal information leaked is a huge breach of trust,” Gal was quoted as saying. Troy Hunt, creator of the HaveIBeenPwned database, says the leak is legit and he has already uploaded the leaked email addresses to the HaveIBeenPwned database where you can verify if your personal data was also leaked. Chances are high that it was!
But for spam based on using phone number alone, it’s gold. Not just SMS, there are heaps of services that just require a phone number these days and now there’s hundreds of millions of them conveniently categorised by country with nice mail merge fields like name and gender.
— Troy Hunt (@troyhunt) April 3, 2021
And even if the percentage of users whose phone number was leaked stands at 20%, the number is still substantial. Plus, the phone numbers in the leaked dataset also come with the country codes neatly arranged, which means it can be abused by malicious parties on a regional basis to a variable extent. Aside from usual spamming, there are a ton of shady services out there that can abuse these millions of leaked phone numbers in different parts of the world.
Of course, there are a lot of cybersecurity experts and regular users out there who are asking questions about the massive leak. Will Facebook take accountability? Is the social media giant going to notify users that were affected by the users? What steps users should take if their email and phone number were leaked? The risks of targeted attacks are high, especially given the massive scale and global reach.
Hunt notes that the leaked Facebook user data is not only available on hacking forums, but is also circulating together on social media platforms. “This data is everywhere,” he adds. While Facebook should be made to answer about the massive leak, the least that the company can do for its humongous user base is notify affected users, and it definitely has the resources to do so. A simple notification will be enough, for starters!