Data information from over 533 million Facebook users from 106 countries was discovered to have been leaked publicly earlier this year. Alon Gal, CTO of cybersecurity company Hudson Rock, was the first to announce in January that a Telegram bot was being used to sell free phone numbers. The bot took advantage of a flaw in a Facebook feature that enabled everyone’s phone numbers to be viewed for free.
This isn’t the first time a data leak from Facebook has been reported — there have been a slew of them in the past, the most infamous of which was the Cambridge Analytica scandal in 2018, where it was revealed that a political consulting and strategic communications firm had gathered personal data on about 87 million people using a personality quiz.
So, what’s the big deal with this data breach? What makes it special, and what are the future ramifications? What kind of information was stolen, and how did it leak?
Names, Facebook IDs, addresses, phone numbers, email addresses, names of workplaces, date of birth, date of account completion, relationship status, and bio are among the personal details that have been leaked. Financial records or passwords were not included in the dataset.
The information was accessed by scraping, which involved manipulating a flaw in Facebook’s contact importer functionality to remove all of the information.
In a blog post, Mike Clark, Facebook’s Product Management Director, confirmed that the data was scraped rather than hacked into the company’s infrastructure.
As mentioned in the blog post, scraping is a popular technique frequently used by automated software to collect public data from the Internet. Though scraping isn’t always unlawful, how the information was accessed and later made public publicly, in this case, was a breach of Facebook’s terms of service.
Forbes announced in 2019 that the Facebook protection flaw newly discovered in the touch imports functionality of Instagram has enabled an attacker to have access names, telephone numbers, handled Instagram and account ID numbers. Facebook said that it was because of internal discovery and that it was already aware of the issue.
This flaw is associated with the latest data breach, which Facebook admitted was two years earlier. It had already officially recognized the infringement at the time.
Cyber-researcher Dave Walker, who first pointed out that the leaked data set even included Facebook CEO Mark Zuckerberg’s personal information and telephone number, says Facebook was so unworthy of Facebook, since in 2017, two years before the data leak, a 21-year-old Belgian quest for safety was brought up. Facebook did not accept his conclusions at the time and said that no tangible protection or confidentiality impact had been identified. A person took half a billion people’s data two years back.
What is special about this infringement of data?
Just because of the large number of Facebook accounts that have been hacked and the volume of data that has been sent electronically, it is one of the worst ever violations. Personal information of over 533 million Facebook users in 106 countries was revealed, including 32 million account records in the United States, 11.5 million users in the United Kingdom, and 6 million users of India.
As several users in Reddit forums pointed out, it would be the third most populated country after China and India if the number of people affected by this violation was one country. Walker says that the scale and comprehensiveness of the data and its general availability distinguish the current violation from those of the past. We have more than a half-billion people on our servers, representing about 20% of all Facebook users.
Where did the stolen data come first?
The huge database containing the personal information of more than 500 million Facebook consumers was first placed on the Dark Web — a sanctuary for illicit activity and robbed information from the auction, hacking software, drugs, and weapons-free to Internet users worldwide.
Initially, the database operator permitted Telegram users to search the database for a fee, allowing them to browse telephone numbers for millions of Facebook accounts. However, the situation recently got worse after a hacker made the whole database open to access the personal data of 533 million Facebook users on a dark web forum and gave anyone with the simple data ability to view it.
Dave Walker said that the users of these data prefer to mask their identity, particularly if they use it for illegal purposes. Laws differ worldwide, and this issue can also affect scholarly studies. Whenever the datasets are sold, the valuation will drop as the data gets older and less rare. The person who provided this information claims they paid $10,000 and that seems to be a precise price, but people who have bought it before probably pay much more.
What could be the use of the data leaked?
As a result of this leak, privacy was the worst loss with sensitive details such as telephone numbers and numbers of certain individuals accessible now in the public domain. Security experts said that leaked data can be used to attack phishing, send spam via text messages, commercial calls, and targeted publicity. Furthermore, public telephone numbers are particularly important at a time when they have been used extensively to verify identification. Most digital platforms also require phone numbers to verify identification codes, including online payment.
Dave Walker said that phishing possibly is the greatest challenge, where reliable information can be used in the spam messages to give the attack more legitimacy. Since the data is well organized, an attacker can easily consume these data during a mass phishing attack. Often platforms use MFA (multi-factor authentication) or mobile telephony numbers as part of a recovery account. I would predict any bullying, including efforts and steal people’s telephone number and try to get additional people’s accounts, he said.
In addition, high-profile figures, actors, and elderly people run the risk of unwanted interaction. For example, we discovered a variety of high-profile phone numbers including Facebook’s founder and CEO himself. Mikko Hyppönen, a security expert and the Chief Research Officer at F-Secure, a major cybersecurity agency, agreed on the above-mentioned argument, saying that in these situations, the most harm is done to lawmakers, actors, law enforcement agents, judges, and individuals with violent ex-partners. Because of Facebook, people who had a good excuse to keep their phone numbers secret have had them revealed.
He said Facebook assures us that this isn’t as serious as it is because your phone number was accessed by scraping, not hacking. However, for users who want to keep their phone numbers private, the difference between hacking and scraping might not be as significant.
Chief Technical Officer affiliated with the cybercriminal cell of Jaipur Police Mukesh Choudhary said marketing is the most used way to do this when it comes to data breaches, in which hackers are separating stolen data from it, profiling and selling them to firms and even political parties according to cities, age, sex or capacity. Cybercriminals very sometimes hit and run profiles with this info. This means they use the telephone number from the infringement to access a profile and then claim the money in return, as a user id or password. This occurred quite much in India in recent years. He added that often when they meet VVIPs figures, they sell it at a fair price.
What was the response from Facebook and what are the security experts saying?
Facebook’s Mike Clark said in the blog post, which was leaked online is an outdated package of data that was collected in 2019 through scraping. The statement reads This is just another example of the ongoing conflicting technology businesses of fraudsters who deliberately knock down internet access network policies. Through our step, we are sure that there will no longer be a particular problem that allowed these data to be scratched in 2019.
We think that, until September 2019, the data in question were scrapped from the Facebook accounts of people using the communication importer by malicious actors… We made improvements to the touch importer when we saw how malicious actors were exploiting this function in 2019. We changed it, in this case, to discourage malicious actors from using malware to mimic our application and to download a huge number to find the Facebook users who fit in.
While Facebook claimed that only public information was impacted when the scraping was carried out on the site, security experts stated that even individuals who set their telephone number visibility to private were affected by the leak as well.
Troy Hunt accepted that, while this data is old, it is unchanged — very rarely do people update their names, telephone numbers, and any other specifics. In breach of their terms of service, Facebook said the data was discharged. So, it won’t be helpful. Criminals that have used a security loophole would not worry about the terms of service of an organization. Naturally, Facebook needs more and more details to be shared. And we cannot underestimate the value of social networking during a global pandemic. It is also accurate that the titan in social media invests a lot of money in anti-scrap technology. But the challenge is to maintain it secure if you have too much info.