The Facebook Data Leak
A massive Facebook data leak that took place over the weekend is apparently the result of the Facebook bug that allowed hackers to obtain the personal data of over 533 million users back in 2019.
Apparently, the user data was scrapped prior to September 2019 using the Facebook flaw, and it was uploaded on the Internet and made publicly available over the last weekend. According to Facebook, the security flaw itself has been long fixed, but it seems that the data acquired by the hackers prior to the fix is still in their hands.
The cybercriminals posted the stolen information on a public hacker forum which rekindled the controversy around the state of Facebook’s security. Back in 2019, it was thought that the bug that lead to the data leak was related to the “Add a Friend” function of Facebook.
In turn, Facebook confirmed that the flaw was indeed related to this feature (which the company refers to as “contact importer”), but it also stated that the problem is no longer present since it was taken care of back in 2019.
According to an official statement by Mike Clark, a product management director at Facebook, the latest data leak was most likely the result of a massive data scrapping campaign that took place before the flaw was fixed in September 2019. It seems that the information has been in the hackers’ possession all this time, and it’s just that it was made publicly available now (rather than earlier).
Clark also noted that this incident exemplifies the difficulty that tech companies have in the face of cybercriminals and online fraudsters who ceaselessly seek to break the policies of different platforms and illegally acquire sensitive and private data. Still, Clark is confident that the specific bug that has led to the current situation hasn’t been present for a long while.
Investigation
Regardless of whether the bug has been fully fixer or not, Facebook still stands to face investigation by EU regulators. One of the first entities to look into the incident is Ireland’s Data Protection Commission (IDPC), according to which the fact that Facebook didn’t disclose the data leak ahead of time (once the leak became known to the company) is a possible violation of the General Data Protection Rule (GDPR).
According to an IDPC post, a big number of users affected by the current data leak are EU citizens, who are now at risk of getting targeted by marketing scams, phishing campaigns, spoofed email attacks, and more.
The IDPC also adds that there have been previous instances of data scraping of similar scale, when Facebook chose not to disclose the incidents, but since those occurrences took place before the GDPR came into force, the company didn’t face any legal consequences.
However, it is possible that some of the information that was leaked last weekend has been scrapped after the GDPR, which would mean that Facebook is currently in violation of the EU Regulation.
At the time of writing, the commission is still working with Facebook to establish all the relevant facts to conclude the investigation.
The Threat of Data Scrapping
Currently, all of the leaked data is accessible to anyone on the Internet for less than $3. The data leak contains information such as user Facebook IDs, phone numbers, emails, names, gender information, etc. Approximately 32 million of the users whose data was leaked are from the US.
This latest leak comes to show that data scrapping is still a serious issue and also reignites the concerns that both regular users and specialists in the field of cybersecurity have with the privacy and security (or lack thereof) of the Facebook platform.
According to Michael Isbitski, a technician at Salt Security, scrapping is a very commonly used tactic that allows criminals to obtain large amounts of private data which could later be used for malicious purposes and/or sold to third parties that would also likely use it in illegal ways.
On the other hand, Mike Clark says that Facebook continues to take measures to prevent future data leaks and scrapping. According to him, many teams in the company are on the lookout for malicious behavior and are working towards tracking down malicious actors and shutting them down before any harm is done.
The person who first found out about last weekend’s data leak is Alon Gal, a Chief Technology Officer at Hudson Rock. According to his discovery, initially, the leaked data could only be searched for in Telegram, a secure messaging application.
At the moment of writing, the data can be accessed by anyone for basically free on hacker forums and there’s little doubt that malicious actors would attempt to use it for phishing attacks, spoofed email campaigns, social engineering, malware distribution, and more.
Leave a Comment X