An unsecured database on the dark web left the personal information of more than 267 million Facebook users, mostly in the U.S., exposed.
Although the database, discovered by security researcher Bob Diachenko and Comparitech and traced to Vietnam, is now inaccessible, it laid bare names, phone numbers, timestamps and Facebook IDs and that information also appears on a hacker forum.
“Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam,” Paul Bischoff, privacy advocate at Comparitech, wrote in a blog post, noting that “the database was exposed for nearly two weeks before access was removed.”
Pointing out that Facebook “exposed 540 million users’ data in April after an AWS S3 bucket was left publicly accessible,” Chris DeRamus, CTO at DivvyCloud, said “this latest incident is alarming because the database was unprotected for nearly two weeks, allowing threat actors more than enough time to access it and use it to launch spear phishing attacks and commit identity theft.”
The database was indexed on December 4 and posted on a hacker forum eight days later. Diachenko reported the discovery on December 14, choosing to go directly to the ISP managing the server’s IP address because he and Comparitech “believe this data belongs to a criminal organization,” Bischoff wrote, explaining the information could be used to cull additional data and used in SMS spam and phishing campaign.
Social media platforms like Facebook “are lucrative targets for cybercriminals due to the massive amounts of personally identifiable information (PII) that they collect and store from users,” said Anurag Kahol, CTO at Bitglass.
“The lasting impact is unknown and a staggering 59 percent of consumers admit to reusing the same password across multiple sites, even knowing the risks associated,” said Kahol. “This could give cybercriminals access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result.”
Bischoff explained that “Facebook IDs are unique, public numbers associated with specific accounts, which can be used to discern an account’s username and other profile info.
The researchers aren’t clear how the criminals obtained the information, speculating that it could have been “stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018,” the post said. Developers use the API “to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data,” Bischoff wrote.
Another possibility that Diachenko floated: A security hole in the API might have allowed criminals to grab user IDs and phone numbers even after Facebook restricted access to those numbers.
“The same ‘move fast and break things’ mantra championed by Mark Zuckerberg in Facebook's early days is being mimicked in enterprises globally,” said Vinay Sridhara, CTO, Balbix. “This agile approach has given developers access to data and the ability to spin up new resources on-demand. Security teams must modify their strategies to account for this dynamic new reality."
It could be, though, “that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages,” said Bischoff. “Many people have their Facebook profile visibility settings set to public, which makes scraping them trivial.”
This latest compromise involving the social media giant “is yet another wakeup call for consumers to pay close attention to the security policies of apps storing personal information like phone numbers and email addresses,” said Will LaSala, director of security services and security evangelist at OneSpan. “Too often negligence occurs where servers like Facebook’s contain massive amounts of consumer data and are left unprotected without any authentication required to gain access.”
Businesses must reconsider using identity proofing and authentication mechanism like the Facebook login button to validate user identification. “Guess what. You can't possibly know if a user is who they claim to be given the scope and magnitude of these breaches,” said Robert Prigge, CEO of Jumio, who called those methods “practically useless.”