More than 533m Facebook users had their personal information posted to a public hacker forum, a move that is raising concerns about an uptick in cyber-crime leveraging the credentials.
An estimated 32m, of the half-billion of Facebook account details posted online, were tied to US-based accounts.
The publicly released Facebook user data is believed to be part of a 2019 “Add Friend” Facebook security bug exploited by hackers then. The defect allowed criminals to siphon-off 100s of millions of member account details from Facebook & sell them to the highest bidder on illegal online markets.
As of this weekend, the data is now accessible to anyone for under $3, or basically free. The types of data include Facebook user mobile phone numbers, their Facebook ID, name & gender information.
Alon Gal, CTO at Hudson Rock, is credited for 1st spotting the 533m account records. 1st, the dataset was searchable for a cost, according to an ads seen on secure messaging app Telegram. Now, that same data is available on public online forums used by criminals for anyone to abuse, Rock noted.
“Bad actors will certainly use the information for social engineering, scamming, hacking & marketing,” he tweeted.
‘Nothing to See Here’
Facebook acknowledged the public availability of the stolen data & released a statement to the Associated Press. “This is old data that was previously reported on in 2019…We found & fixed this issue in Aug. 2019,” Facebook revealed.
Leaky databases, breaches & bugs dominated Facebook in 2019. It is not clear from Facebook’s statement what precise incident this is.
In Dec. 2019, Facebook reported a hacked database containing the names, phone numbers & Facebook user IDs of 267m platform users. The data, according to researchers at the time, was stolen from Facebook’s developer API before the company restricted API access to phone numbers & other data in 2018.
Stolen from Facebook’s Developer
In 2019 also, Security Researcher Bob Diachenko speculated that the data was stolen from Facebook’s developer API – used by app developers to access user profiles & connected data – before the company restricted developer access to phone numbers & other data in 2018.
Other possibilities include that Facebook’s API could have an issue, letting criminals access user IDs & phone numbers even after access was restricted in 2018. A further theory included is that the data was ‘scraped’ from publicly visible profile pages, researchers commented.
In Sept. 2019, an open server was discovered leaking 100s of millions of Facebook user phone numbers. In April 2019, researchers found 2 separate datasets, held by 2 app developers (Cultura Colectiva & At the Pool). The actual data source for the records (e.g., account names & personal data) in these databases was Facebook.
Using weaknesses in application programming interfaces to harvest data has become a common practice for data brokers & hackers alike.
“Content scraping is a common attack pattern,” suggested Michael Isbitski, Technical Evangelist at Salt Security. “Organisations often build or integrate APIs, without fully considering the abuse cases of the APIs.”
Isbitski stated that APIs are often designed to increase adoption & grow a business by making it easy for others to build complimentary technology & systems. Data sets, in this case Facebook profile data, can also be useful in other types of automated attacks, such as brute forcing or credential stuffing to achieve account takeover, he outlined.
Monitoring Consumption Continuously
“At the very least, the data is also useful to attackers for phishing campaigns and social engineering. Organisations must protect the APIs monitoring consumption continuously in order to take such malicious activity as content scraping or authorisation bypasses,” Isbitski advised.
One idea, suggests Avesta Hojjati, DigiCert’s Research & Development Lead, is the adoption of encryption for data at rest.
Encryption of Data
“Once again, the importance of encryption of data at rest & in transit has surfaced. Today, the breach happens to impact Facebook, but tomorrow it could very well be other social media,” Hojjati explained.
“We simply cannot prevent vulnerabilities from compromising users’ data, but we can properly use proven solutions to eliminate the use of such compromised data.”
Check Your Facebook Account
Hudson Rock’s Gal explained the data he found represent users in 106 countries, with 32m based in the US. Each of the records contained Facebook IDs, full names, mobile phone numbers, user locations, past locations, birthdates & email addresses.
By Mon., breach notification site Have I Been Pwned began allowing people to check if any of their personal information was part of this data dump. Site publisher Troy Hunt commented via Twitter that his site is currently is only allowing visitors to check their status using an email address. That, he outlined, will only be partially useful, because only 2.5m out of the 533m Facebook member records also included an email address.
Search the Dataset
Hunt observed he is actively seeking ways to allow people to search the dataset via their phone number. “I’m still considering what to do with the phone numbers,” he explained.
Another option is the site The News Each Day, which lets anyone put in a phone number & get either a “Your phone number is in the data” or a “Your phone number is not in the data” answer.