Leaked Data of 533mn Facebook Users Reemerges Online, Why FB’s Reply is Unconvincing
Facebook is back in the limelight for all the wrong reasons, and this time, a new report claims that the personal data of over 533 million users have surfaced on a hacker forum, practically for free of cost. The development was shared by the chief technology officer of cybercrime intelligence firm Hudson Rock, Alon Gal and was first reported by Business Insider. As per Gal, the exposed data includes the personal information of Facebook users from 106 countries. He claims that over six million Facebook user’s data in India has allegedly surfaced on the hacker forum for free. Notably, a similar set of data had been leaked in January 2021 and was also spotted by Gal. However, the hackers were selling personal information such as phone numbers, Facebook IDs, full names, locations, birthdates, bios, and – in some cases – email addresses for a small sum of money at the time. Both the Business Insider team and Gal reportedly reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. Facebook has provided a cryptic reply to this whole incident, and here’s the entire sage de-cluttered for you.
What does the security researcher claim about the Facebook data breach: In a series of tweets, Alon Gal says that the data of 533 million Facebook users just leaked for free. “This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” he adds. As mentioned, the security researcher had witnessed a similar set of data online being sold for a sum of money in January 2021. According to Vice Motherboard, a Telegram bot let hackers find a user’s info (provided if it is breached) by entering known credentials like username, email ID or phone number.
The old report stated: “The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20 (roughly Rs 1,500), with prices stretching up to $5,000 (roughly Rs 3,67,00) for 10,000 credits. The bot claims to contain information on Facebook users from the US, Canada, the UK, Australia, and 15 other countries.”
However, the latest development from Gal notes that the hacker forum includes 32 million records from the US, 11 million from the UK, and 6 million from India.
All 533,000,000 Facebook records were just leaked for free.This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
What is Facebook is saying about the data breach: Both in January and at present, Facebook says that the data is “old” and was breached due to a vulnerability that was patched in August 2019. However, the company has not provided any details as to how it is rectifying this lapse in security. Similarly, Gal states that the breach of personal info of over 533 million users is a ‘huge impact on privacy.’ “I have yet to see Facebook acknowledging this absolute negligence of your data,” he adds.
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.— Liz Bourgeois (@Liz_Shepherd) April 3, 2021
Key takeaway from the massive breach in data: Although Facebook has said that the breach of data pertains to a vulnerability from 2019, the social media giant fails to acknowledge that the data belonging to users may remain the same after all this time. As pointed out by the security researcher, there seems to be no attempt from the company to notify users if their data has been compromised. Most importantly, if a users’ personal info such as email, phone number and username are exposed, they are practically at the risk of being subjected to a sophisticated phishing attack. A successful phishing attack could expose one’s sensitive files like photos or even banking details. It may also lead to the instances of online stalking.
Meanwhile, several crowdfunded websites help users to check if their data has been compromised. One such resource is HaveIBeenPwned.com, a database maintained by security analyst Troy Hunt. It lets visitors enter their email address and cross-references it with more than 10 billion accounts compromised in past breaches to determine whether they’ve been “pwned,” or compromised.