While many families spent the weekend unwrapping their Easter chocolate, cybercriminals were likely unwrapping a treat of an entirely different nature, after it was announced that the data of 553 million Facebook users (including, apparently that of Mark Zuckerberg) was made freely available through a hacking forum.
The huge volume of data, from one of social media’s most popular platforms, is likely to spark concern among businesses and private users alike, so it’s important to understand what has been taken and what steps to consider taking next.
Whose Data Has Been Taken?
It has been widely reported that the personal information of over 553 million users from 106 different countries was included in the breach – which included 32 million US users, 11 million UK users and 3.5 million Canadian users.
What Data Was Leaked?
Data compromised in the breach contained the following:
Facebook ID (the unique number that Facebook assigns to each user)
Account creation date
In some, but not all, cases the email address associated with the account has also been leaked.
Is the Data Legitimate?
It appears so – researchers have been able to validate this by comparing the data of known Facebook users with the data that was leaked. It is likely, given previous Facebook breaches and the way that users share information on social media platforms that much of the data was already compromised, but not in such an easily accessible form. Facebook has since released an official statement confirming just that.
How Was the Data Stolen?
Facebook has confirmed that the data was stolen using a vulnerability in their systems. However, they also disclosed that the vulnerability was fixed in 2019 – indicating that the data must have been stolen sometime before then. Despite the data’s age, many users will still have the same phone number now, providing opportunities for criminals to use the data in phone-based scam campaigns or cyberattacks.
Was My Data Included?
If your data was included in a leak such as this, the breached organization is obligated to clearly notify the rightful owner – you. As such, there is currently pressure on Facebook to notify specific users affected by this breach; at the time of writing this has not occurred.
Who Has My Data?
The data first came to light in January of this year, when a user on the same forum claimed to have a tool for sale that could provide the phone numbers of hundreds of millions of Facebook users – reporting at the time confirmed that the data was genuine. However, this data has now been made available for free, meaning it is highly likely to be in the possession of a number of individuals, including, but not limited to:
Criminals – particularly, but not exclusively, cybercriminals
Law enforcement agencies
Concerned individuals and private companies
This means that even if the data is removed from its original source, it will remain easily and freely obtainable for individuals who wish to access it. Although passwords were not included in this breach, note that using a password that has been compromised already will increase the chances of a threat actor being able to access the account.
Some security vendors including Have I Been Pwned? and IntelligenceX have already started indexing the data so that individuals can identify if their information was included in the leak or if their password has been compromised using their free tools.
Although passwords were not included in this breach, note that using a password that has been compromised already will increase the chances of a threat actor being able to access the account.
We recommend using the tools listed above to check your credentials regularly.
Indexing of data is considered ‘legitimate interest’ under the General Data Protection Regulations (GDPR) as the regulation allows for the “information exchange of personal data as long as it is for the purposes of ensuring network and information security or if it constitutes the legitimate interest of the data controller (e.g. preventing unauthorized access to the sensible machine after credential leaks)”.
What Can I Do?
From a security standpoint, there is little that users can do as the data is likely to now be widely available. Remember, passwords were not included in the breach, so this leak itself does not require a password reset.
The most significant data point that was leaked is the users' phone numbers; the implicated users should be particularly vigilant for unusual phone calls or text messages which attempt to gather further information or recruit the recipient into some kind of scam.
Where data is indexed by other services, such as Have I Been Pwned? and IntelligenceX, you have the right, under the General Data Protection Regulation, to have your data removed from the service.
The implicated users should be particularly vigilant for unusual phone calls or text messages which attempt to gather further information or recruit the recipient into some kind of scam.
Note that Have I Been Pwned? only stores email addresses and passwords and does not store other personal data as part of its records. However, Troy Hunt has asked users on Twitter if they would like to see an exception for the Facebook phone number data.
Have I Been Pwned? also offers an ‘opt out’ feature, which allows individuals to ensure their email address is no longer searchable through its public tool. This allows you to take advantage of one of the following:
Remove your email address from public searching (you can still be notified privately so you will be aware if your email address is in any future breaches)
Remove your email address from public searching and remove the list of breaches it appears in (you can no longer search for the data as it is removed from records, however, the website will retain a copy of your email address so they can prevent your email address from being reported in future)
Complete removal of your data (this will remove all records of your email address from the system, but you may be re-added if your data is in a future breach)
In turn, IntelligenceX offers a ‘Report Abuse’ function which allows users to report data that meets one of the following criteria for removal from their systems:
Patent, Trademark, Trade Secret
Spam / Malware / Phishing / Hacking
Expressions of racial, ethnic, religious or gender hatred
In both of these cases, it should be remembered that these processes will only remove the data from these services and not from the original leak of the data, as such your data is still likely to be available to malicious parties.
What Does It All Mean For Us As Users?
The nature of this leak means that the data, particularly that of individuals' phone numbers, is of significant interest to threat actors. If attackers can get direct access to an individual, they can attempt to recruit them into a scam, send malicious messages to infect devices with malware or attempt to use phone calls as a means of gathering further information.
Given the current security climate, do not feel embarrassed or uncomfortable ending a call in order to verify the identity of the caller (e.g. by calling the supposed company back using a trusted phone number).
At all times, but especially now, we need to be aware of the potential for malicious phone calls and messages, and be suspicious, particularly when calls are unsolicited or are requesting information that we are not comfortable with disclosing. Given the current security climate, do not feel embarrassed or uncomfortable ending a call in order to verify the identity of the caller (e.g. by calling the supposed company back using a trusted phone number).
Additionally, we should maintain an awareness of how our data being used and where it resides - not only when it appears in a breach, but when indexed on security sites also. We should consider how we want to manage that exposure, to ensure that we remain cognizant of our risk profile, and without unnecessarily exposing sensitive information that can harm our reputation, personal lives, or financial future.
Want more information on this or any other cybersecurity topic? Simply reach out and ask!