A user of a hacking forum posted the phone numbers and personal data of hundreds of millions of Facebook users online for free on Saturday.
The data exposed includes the personal information of more than 533 million Facebook users in 106 countries, including over 32 million records on users in the United States, 11 million on users in the United Kingdom, 6 million on users in the United States. users in Germany and nearly 20 million users in France. It includes their phone numbers, Facebook IDs, full names, places of residence, former places of residence, dates of birth, biographies, marital status, and in some cases, email addresses.
To verify the authenticity of these records, some media outlets examined a sample of the leaked data and verified multiple records by matching the phone numbers of known Facebook users with the credentials listed in the data set. They also verified the records by testing email addresses from Facebook’s password reset feature dataset, which can be used to partially reveal a user’s phone number.
A Facebook spokesperson said the data was deleted due to a vulnerability corrected by the company in 2019.
While being a few years old, the leaked data could provide valuable information to cybercriminals who use people’s personal information to impersonate or defraud them, according to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock. , who referred to the data leaked online on Saturday.
“A database of this size containing private information such as the phone numbers of many Facebook users would certainly lead to bad actors taking advantage of the data to carry out social engineering attacks [or] hacking attempts,” he said. said Gal.
Gal first discovered the leaked data in January when a user on the same hacking forum promoted an automated bot that could provide phone numbers to hundreds of millions of Facebook users and that he was willing to sell. The media that reported the existence of this bot at this time have verified that the data is genuine. Here is what he explained in January 2021:
“At the beginning of 2020, a vulnerability allowing to see the phone number linked to each Facebook account was exploited, creating a database containing the information of 533 million users in all countries. . It has been severely underreported and today the database has become much more worrying.
“A few days ago, a user created a Telegram bot that allows users to query the database for a nominal fee, allowing people to find phone numbers linked to a very large portion of Facebook accounts. This obviously has a huge impact on privacy ”.
Now, the dataset has been posted for free on the Hacking Forum, making it widely accessible to anyone with rudimentary data skills.
“The 533,000,000 Facebook records have been disclosed for free. This means that if you have a Facebook account, it is highly likely that the phone number used for the account has been leaked. I have yet to see Facebook recognize this absolute neglect of your data, ”warned Alon Gal.
Gal said that, from a security perspective, there is little that Facebook could do to help users affected by the breach since their data is already exposed, but added that Facebook could notify users so that they can remain vigilant against possible phishing or fraud programs by using their personal data.
“People who sign up with a reputable company like Facebook trust them with their data and Facebook [is] supposed to treat the data with the utmost respect,” Gal said. “Users who see their personal information disclosed are a huge breach of trust and should be treated accordingly.”
Data breaches on the rise
This is not the first time that a large number of Facebook user phone numbers have been discovered online. In December 2019 , security researcher Bob Diachenko discovered an insecure database containing more than 267 million Facebook IDs, phone numbers and usernames. The database was not protected by a password or any other protective measure. Before access to the database was removed, the information it contained had been made public for almost two weeks.
In September 2018, Facebook revealed that nearly 50 million Facebook accounts were compromised by an attack that allowed hackers to take control of user accounts. The social network clarified that the flaw was discovered by its engineers on Tuesday, September 25. On Thursday, a fix was already available. Of course, Facebook assured that users whose accounts were affected would be notified. Facebook later estimated that the flaw affected around 90 million accounts vulnerable to three bugs related to the “Preview As” feature .
“I’m glad we found this and fixed the vulnerability,” Mark Zuckerberg said on a conference call with reporters. “But it’s a problem that it happened in the first place. I think this underlines the attacks our community and our services are facing ”.
Yet legal documents provided in a lawsuit against Facebook showed the company had been repeatedly warned by its own employees as well as outsiders of a loophole that could be massively exploited by hackers.. Nine months before the hack occurred in September 2018, Facebook employees challenged their managers, but their alerts went unheeded. Facebook had repeatedly failed to adequately respond to concerns raised as early as December 2017 by its own engineers who feared that access tokens were “easy” for criminals to exploit. This is why when the incident occurred, some employees started talking about their feeling of “guilt” and “suffering” because they knew that the attack “could have been avoided”.
All this without counting the manipulation campaign orchestrated by Cambridge Analytica, a company specializing in data mining, which allowed profiling on 87 million accounts to manipulate public opinion during the US presidential campaign and during the Brexit referendum in England.
Sources: Alon Gal , full list of countries affected by vulnerability