Another year, another data breach at Facebook. As the company slowly bounces back from a major breach in 2019 and growing public criticism on the way it handles data and privacy, more than half a billion Facebook users’ personal data has been published in a hacking forum.
In what is projected as the social network company’s biggest data breach yet, the database published in a hacking forum contains the personal data of millions of Facebook users from around the world. According to Business Insider, the data, which was discovered over the weekend, has the potential to be used for a variety of cybercrimes.
The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records from users in the US, 11 million from users in the UK, and 6 million from users in India. In Southeast Asia, 11 million Malaysians and 3 million Singaporean users were also affected. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios and in some cases, email addresses.
Interestingly, Liz Bourgeois, Director of Strategic Response Communications for Facebook tweeted that “This is old data that was previously reported on in 2019”, and that they have “found and fixed this issue” in August 2019.
While the data may be out of date, many cybersecurity experts believe the data may still be a concern. Clement Lee, Security Architect, APAC, at Check Point Software Technologies believes that the breach might just be an extension of the 2019 incident.
“The exposed data was based on an API permission that would allow anyone to query a user’s number. So far, the motive of publishing the data online is not clear, as there is no financial incentive in giving out the information for free. However, it is also not a new trend that Check Point is seeing”, said Clement.
He advised Facebook users to take caution with the information leaked; bad actors can leverage these details to perform hacking and phishing attempts through social engineering.
For Candid Wuest, Acronis VP of Cyber Protection Research, the breach is not surprising as there has already been a similar data leak of 420 million Facebook customer records in 2019. He explained that Facebook claims that this data set was generated by a bot abusing a vulnerability that was fixed in 2019.
“Even though some of the unauthorised data access happened in 2019, the data is still relevant and it is questionable if all users were aware of the earlier data leak. Furthermore, it is surprising that the gathering of such a large data set did not trigger any alarms earlier – that would have prevented further data gathering”, said Candid.
He believes that there is now a higher risk of SMS spam, with password reset attacks and attacks against other SMS services for MFA are now more likely. Users should therefore change from SMS-based MFA services where possible for critical accounts.
Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group added the breach showed how attackers define the rules of their attack and are increasingly operating just like businesses.
“When your primary asset is data, that asset is going to be valuable to more than just you. If that data is stolen from one criminal enterprise, that criminal group might not protect their data and it could easily be stolen multiple times. Effectively, data security is only as good as the weakest link. The people most interested in keeping data secure are the data owners (us) and the businesses we share our data with. We should limit the data we share to only what’s required and hold those with whom we share our data accountable for its safe-keeping”.
Meanwhile, Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky pointed out that the re-emergence of users’ personal data that was previously leaked highlights how the impact of a data breach transcends the limits of time and imparts upon us the valuable lesson that what is lost will be lost forever. With access to phone numbers, user IDs, full names and even email addresses, cybercriminals have a fertile ground from which they can launch multiple cyber attacks in the form of phishing scams, social engineering attacks, as well as break into an organisation’s IT systems to deploy ransomware.
“As with most things, cybersecurity takes two hands to clap and any effort to mitigate the impact of data breaches will also require the proactive effort of consumers who have been affected. In this instance where old personal data has resurfaced online, one can hedge against the long-term consequences of identity theft by monitoring your financial activity as this remains a perennial area of interest for many cybercriminals”, said Yeo.