Facebook and data breaches are starting to become synonymous. After the notorious Cambridge Analytica fiasco, the world's largest social networking platform has come under the scanner and continues to be a target for privacy advocates. Once again, Facebook is in the news for all the wrong reasons, which affects millions of its users.
Security researcher Bob Diachenko, in partnership with Comparitech, discovered a massive breach in Facebook security, which led to millions of users' information being dumped online. According to the report, the trove of data containing Facebook user IDs of more than 267 million users along with their phone numbers, full names, and timestamps got leaked online for anyone to access.
Facebook data breach
As the report highlights the nature of the security breach, Comparitech and Diaschenko revealed that the data was accessed using the illegal scraping operation or Facebook API abuse by criminals in Vietnam. The database, comprising a total of 267,140,436 user records, was dumped on an online hacker forum, where it remained accessible for a whole week from December 12 to December 19.
Diachenko said the data belonged to a criminal organization, so it was reported to the ISP managing the IP address of the server to take it down. Most of the affected users were from the United States and the leaked data seemed valid.
What can criminals do with data?
Since the leaked data included phone numbers of millions of users, criminals could use it to spread spam or phishing messages. It is possible that hackers could use the phone numbers for SIM hijacking, which activates an existing phone number on a different SIM card.
Another threat that affected users face in the event of this breach is that the unique Facebook IDs can be used to look up other associated accounts to gather more info.
What caused the breach?
The researchers found criminals to have used scraping to extract data of millions of users. It is a process where automated bots sift through webpages and copy data from each one into one place. Facebook has termed the practice of scraping illegal in its terms of service but hasn't done anything to keep the practice in check.
To prevent falling victim to scraping, users can revisit their privacy settings on social media profiles. Make sure important information such as phone numbers and unique IDs are not set to public.
But there's another likelihood. Diachenko said Facebook's API could also have a security hole that allowed hackers to access user IDs and phone numbers. Facebook had restricted access to phone numbers in 2018, but it doesn't appear to have done a good job in doing so.
"We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people's information," a Facebook spokesperson told AFP.
Not the first...
The latest Facebook data leak joins the plenty of instances, where user data was compromised. After Cambridge Analytica's breach of 87 million user profiles, the company faced $1.63 billion fine over data breach that exposed 50 million accounts in October. Shortly after that, hackers stole personal data of 29 million users. Recently in September this year, phone numbers of 419 million Facebook users were dumped on an unsecured server.
Facebook has made some investments and changes in its system security to prevent such attacks from happening time and again. But it is failing at every attempt. The massive userbase of Facebook makes it an ideal target for hackers, which is important for the social network to improve security.
