‘Half a billion Facebook users’ data breached’, this or something very similar is a headline you may have seen in the media in recent days. Any data breach, especially one that affects such a large quantity of users, is unpleasant both for the company and the users concerned; in this instance, though, it appears to be old news with a new twist.
The timeline of this data breach, according to Facebook, starts back in 2018, when it transpired that malicious actors were abusing a feature on Facebook that allowed a user to search for another user by phone number to locate them on the social network. This feature was especially useful in territories where many users share the same first and last name, making it complex to track down the actual person you were looking for. Unfortunately, this allowed bad actors to abuse the feature and ‘scrape’ Facebook using automation and scripts to compile a database that, at a minimum, included the victim’s name and phone number.
Facebook removed the feature in April 2018, shortly after the Cambridge Analytica scandal, and when the malicious ‘scraping’ activity was identified. Forward to 2019 and, as reported by TechCrunch, a security researcher found records of 400 million Facebook accounts in an unprotected database online. At the time, Facebook confirmed the data was dated and appeared to have been gathered prior to the removal of the search feature in 2018. The unprotected data was removed from public access.
In recent days, CNN and numerous other media outlets reported that security researchers have, once again, identified a publicly accessible unprotected database with, what appears to be, the same scraped data as reported in 2019. There is some speculation, as reported by TechCrunch, that the original dataset may have been added too since it was scraped in 2018, according to quotes from Ireland’s Data Protection Commission (DPC). The DPC are stated as attempting to establish the full facts to ascertain whether the breach occurred before the General Data Protection Regulation (GDPR) took effect.
If, at the time of the scraping the victim’s profile on Facebook was public, the malicious actor may have gleaned further, more personal, information that could then be used to create a profile of the victim. Data that contains rich personally identifiable information data could be used to against the victim in identity theft, targeted phishing, social engineering, account takeover, and other scams that could cause significant disruption and damage.
Does the value of data diminish over time? The answer is both yes and no. I have the same phone number today as I did in 2018, information that is static such as date of birth remains the same, and even a timeline of activity would not change but would have just stopped at the point the data was gathered. Whereas passwords, which this data did not contain, are likely to have been changed in the last three years.
Data breach tracking website Have I Been Pwned (HIBP) notes that only 2.5 million of the records found in the unprotected publicly accessible data included an email address; however, most records contained names, gender, date of birth, location, relationship status and employer. I would consider such personal data, even without an email address, to be a compromise of my identity and something I should be concerned with.
How to check if you were affected
For the user accounts that contained an email address then malicious actors could attempt to access Facebook and other sites and services using the email address and brute-force techniques with commonly used passwords. If the victim only uses simple passwords, the same one on many sites, and never changes them then they need to take action today – change passwords, make them unique and complex and please turn on multi-factor-authentication. You can check if you were one of the 2.5 million on the HIBP website.
Perhaps more importantly, however, the site now also enables anybody to check whether their phone number was exposed in the breach.
Why is this important beyond the sheer number of the leaked phone numbers? If you have ever received an SMS text message to reset a Netflix password or telling you that there is a gift card waiting for you then you should be aware that bad actors will likely use the data they have, name and phone number, to socially engineer a response that will gain them access or data that they can then monetize. It’s also probable that bad actors may have combined this data with other breached data, which could include your email address and other personal data, giving the bad actor enough information to launch a credible-looking social engineering attack on individuals.
Vigilance and a doubting attitude to every message and email you receive will help protect your online accounts. Couple this with passwords unique for each account, multi-factor-authentication and good security software, such as ESET, will help protect you. And, if you can’t remember passwords or create unique complex ones then consider a password manager.