According to a new report, Facebook has been named to have leaked personal data of over 533 million users on a hacker forum, for free. Reported first by Business Insider, this event was shared by Alon Gal, the chief technology officer of cybercrime intelligence firm Hudson Rock.
The leaked data is said to comprise of personal information of Facebook users across 106 countries. Gal further claims that over six million Facebook user’s data in India has allegedly surfaced on the hacker forum for free.
It was also seen that in January 2021, a similar set of data was leaked and spotted by Gal. Further, at the same time, personal information such as phone numbers, Facebook IDs, full names, locations, birthdates, bios, and – in some cases – email addresses for a small sum of money was sold by hackers for a small amount of money. Thus, both Gal and the Business Insider team analyzed and verified samples from the leaked data and several records by matching phone numbers of known Facebook users with the IDs mentioned in the data set.
What does Gal claim about this data breach?
Alon Gal on his Twitter says that the data of 533 million Facebook users have been leaked for free “This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” he adds.
He also witnessed the data being sold for a small sum of money in January 2021. According to Vice, “The leak is believed to have originated courtesy of a 2020 vulnerability, first reported by Motherboard, that allowed users to exploit Facebook’s systems using an automated Telegram bot. Reddit posters and others have been quick to point out that if the number of people affected by this breach were a country, it would be the third most populous in the world, behind China and India.”
The old report stated: “The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20 (roughly Rs 1,500), with prices stretching up to $5,000 (roughly Rs 3,67,00) for 10,000 credits. The bot claims to contain information on Facebook users from the US, Canada, the UK, Australia, and 15 other countries.”
However, Gal currently states that the hacker forum comprises 32 million records from the US, 11 million from the UK, and 6 million from India.
"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Gal told Motherboard at the time.
Troy Hunt of haveibeenpwned.com says that the data set consists of 108 files, broken down by country, with file names in Italian. Further, close to 2,529,621 unique email addresses were added to his website’s database of forgiven accounts over the weekend.
How has Facebook responded to this data breach?
Facebook, for the events of January as well as at present, has stated that the data that was breached is “old”, and this occurred due to a vulnerability that was patched in August 2019. However, beyond this, the company has not given any details about how it plans to make rectifications in this lapse of privacy and security. While Facebook claimed that the company solved the vulnerability in 2019, this open circulation of data was not informed about to customers.
On Tuesday, Facebook said that hackers had “scraped” personal data of 553 million users during a leak in 2019.
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Facebook Product Management Director Mike Clark said in a blog post. “This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.”
What is the impact of this data breach?
The most crucial impact from this data leak is that when users’ personal info such as email, phone number, and username are exposed, they are being put at risk of being subjected to a sophisticated phishing attack. Thus, if this pishing is successful, it could display one’s personal files like photos or bank details, and further lead to online stalking.
The social media giant said that the breach of data comes from a vulnerability from 2019, it fails to realize that the data over the years will not change, and most personal information of the users will remain the same. Further, Facebook has shown no attempt to communicate to the users about how their privacy has been violated.
Gal states that the breach of personal info of over 533 million users is a ‘huge impact on privacy.’ “I have yet to see Facebook acknowledging this absolute negligence of your data,” he adds.
Privacy researcher Gaurav Laroia told Motherboard that states should engage in penalizing Facebook.
“It's clear that Facebook hasn't taken its data security obligations seriously,” Laroia said. “That it took them 2 years to acknowledge this breach is also a serious problem. All 50 states and DC have breach notification laws and this whole incident needs to be investigated by state AGs, and the company properly reprimanded if it didn't meet its legal obligations,” he said.