The address of Facebook’s headquarters in Menlo Park, California, is 1 Hacker Way. At the time, it was meant to pay homage to the company’s coding prowess. In retrospect, the company probably ought to have realized the potential ironies it was opening itself up to.
Yes, just when you’d almost forgotten the name Cambridge Analytica, the personal data of 533 million users gleaned from Facebook by what the company called “fraudsters” appeared on a hacking forum over the weekend, Business Insider reported on Saturday.
The half-billion users included 32 million from the United States, 11 million from the United Kingdom and 6 million from India. Users from 106 countries were affected.
In a blog post, Facebook said that the data wasn’t obtained by hacking the platform’s central servers but through scraping, “a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this.”
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” Facebook said. “This feature was designed to help people easily find their friends to connect with on our services using their contact lists.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users,” the post continued.
“Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords.”
Scraping was, in case you’ve forgotten, the same method Cambridge Analytica used to gather data from over 80 million Facebook accounts in violation of the platform’s terms of service. That data was used, in turn, to target voters.
Alon Gal, chief technology officer for Hudson Rock — a cybercrime intelligence firm — first discovered the existence of the information in January on the same board when a user advertised a bot that could retrieve phone numbers for a price.
The data was verified by Vice’s Motherboard, which reported on Jan. 25 that it “tested the bot and confirmed it contained the real phone number of a Facebook user who tries to keep this number private.”
At the time, Facebook said the data was all from accounts created prior to 2019 and that the vulnerability had been fixed; newer accounts returned no result.
On Saturday, the trove of data collected by the scrapers was released free of charge on the hacking board. The information could include your phone number, full name, location, previous locations, birthdate, email address, relationship status and more.
“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts,” Gal told Business Insider.
Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Other victims included Secretary of Transportation Pete Buttigieg and (we’re just piling on the ironies now) European Union commissioner for data protection Didier Reynders.
“Other victims include 61 people who list the ‘Federal Trade Commission’ and 651 people who list ‘Attorney General’ in their details on Facebook,” Wired reported Tuesday.
So, are you among the 533 million?
The easiest way to find out is at haveibeenpwned.com, which may sound bizarre but is one of the best ways to discover if your phone number or email address has been in a data leak.
According to The Wall Street Journal, “Facebook didn’t immediately comment on the reliability of third-party sites that help people identify whether their information had been scraped from the platform.” However, haveibeenpwned.com founder Troy Hunt, an Australian web consultant, told Wired he integrated two versions of the leaked Facebook data set that were floating around into his database.
“When there’s a vacuum of information from the organization that’s implicated, everyone speculates, and there’s confusion,” Hunt said.
As for the risks, no credit card numbers or passwords were stolen. However, there is the risk the data could be used for social engineering or hacking. An expert who talked to WSJ, for instance, said there was the risk of SIM swapping, where your phone number is swapped onto another SIM card with data gleaned in the breach.
Facebook said in its blog post that “it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly.”
“In this case, updating the ‘How People Find and Contact You’ control could be helpful,” the post continued. “We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.”
Whatever the case, remember that with the services Big Tech companies can provide, the information they have can be used problematically — if not by Big Tech companies themselves, then often by bad actors who can exploit weak links in their security.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.