What’s happened?
In what’s likely to be a goldmine for bad actors, personal information associated with approximately 533 million Facebook users worldwide has been leaked on a popular cybercrime forum for free—which was harvested by hackers in 2019 using a Facebook vulnerability in it’s “Add Friend” feature. The breach was first highlighted by Alon Gal, the co-founder and chief technical officer of cybersecurity firm Hudson Rock, who found the cache of leaked data online on Saturday (April 3).
This also included in the leak are phone numbers from Facebook CEO Mark Zuckerberg, and co-founders Chris Hughes, and Dustin Moskovitz, who are the fourth, fifth, and sixth members to have registered on Facebook.
What details were leaked?
The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members. What made this leak stand out was that it contained member information that can be scraped from public profiles and private mobile numbers associated with the accounts.
The leaked details include names, gender, occupation, marital and relationship status, the date of joining and the place of work of users, bio, and in some cases even email addresses and phone numbers. The data breach has been confirmed by multiple groups and media organisations.
The exposed data includes personal information of 32 million Facebook users from the US, 11 million from the UK, 8 million from Brazil, 6 million from India, 3.8 million from Bangladesh, 1.2 million from Australia, among others.
Is this the first time?
It is not the first time that the data of Facebook users has been leaked online. In 2019, the same data (of 533 million Facebook users) was leaked and being sold on instant messaging platform Telegram for a fee of $20 per search. Similar data was again leaked in June 2020. Now, the data has re-surfaced online and this time, those who want to access the data can get it without having to pay anything at all.
How can the data be misused?
The leaked data has been put up for free on several forums. The details can be exploited by advertisers for targeted advertisements and by hackers to perform hacking attempts or social engineering attacks. Besides, anyone with rudimentary data skills can use the details to commit a cybercrime.
Earlier in 2018, it was revealed that political firm Cambridge Analytica mined data from 50 million Facebook profiles. The data gathered was used to help political candidates around the world to win elections. The revelations came in the backdrop of the US presidential elections of 2016 and the Brexit referendum.
Is there legal recourse?
While several nations in the West have Data Protection Regulation, India is yet to catch up. Although sections 43A and 72A of the Information Technology Act (2000) provides for compensation in case of improper disclosure of personal information, the Personal Data Protection Bill — which is said to contain provisions relating to a data breach — is yet to be passed in the Lok Sabha. It has been pending since 2019.
Impact and Precautions
This release has been met with enthusiasm by other threat actors on the hacker forum as they can use it to conduct attacks on the people listed in the data leak. For example, threat actors can use email addresses for phishing attacks and mobile numbers for smishing (mobile text phishing) attacks. Threat actors can also use mobile numbers and leaked info to perform SIM swap attacks to steal multi-factor authentication codes sent via SMS. It is advised that all Facebook users be wary of strange emails or texts requesting further information or telling you to click on enclosed links.