The data of close to 533 million Facebook users from 106 countries have been compromised in a major privacy breach by a hacker in a hacking forum last Saturday.
According to a report by Business Insider, the data include phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses. the entire dataset has been posted on the hacking forum for free.
In mitigation, a Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019. The breach, which originated from a security flaw that allowed user information including phone numbers to be scraped from Facebook’s vast database of personally identifiable information, was first reported in September 2019 and rectified by the company.
The leaked data could provide valuable information to cybercriminals who use people's personal information to impersonate them or scam them into handing over login credentials, said Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who first discovered the entire trough of leaked data online on Saturday.
In his twitter post, Gal warned: ““Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.” He said there is nothing much Facebook can do, except to except to warn users of possible phishing schemes or fraud.
Facebook users must take caution
Commenting on the incident, Clement Lee, Security Architect, APAC, at Check Point technologies said: “This might be just an extension of an earlier incident with Facebook in 2019. The exposed data was based on an API permission that would allow anyone to query a user's number. So far, the motive of publishing the data online is not clear, as there is no financial incentive in giving out the information for free. “
However, Facebook users should take caution, Lee warned: “With the information leaked, bad actors can leverage on these details to perform hacking and phishing attempts through social engineering. One should always take extra precaution to ascertain the legitimacy of the interaction, even if the person is someone you trust.”
“When your primary asset is data, that asset is going to be valuable to more than just you. If that data is stolen from one criminal enterprise, that criminal group might not protect their data and it could easily be stolen multiple times,” said Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group.
“Effectively, data security is only as good as the weakest link. The people most interested in keeping data secure are the data owners (us) and the businesses we share our data with. We should limit the data we share to only what’s required, and hold those with whom we share our data accountable for its safe-keeping,” added Mackey.
Editor’s note: This story has been updated with additional input by Check Point Technologies and Synopsys Software Integrity Group