Facebook faces another huge data leak affecting 267 million users | The Cyberbunk

Report: 267 million Facebook users IDs and phone numbers exposed online (UPDATE: now 316 million)

More than 267 million Facebook users’ IDs, phone numbers, and names were exposed to an online database that could potentially be used for spam and phishing campaigns. 
Security researcher Bob Diachenko uncovered the database, according to Comparitech. The database was first indexed on December 4, but as of today, December 19, it is unavailable. Comparitech reports that before the site was taken down, the database was found on a hacker forum as a downloadable file. 
Most of the Facebook users that were affected by this leak are located in the U.S., and the data included people’s Facebook IDs, phone numbers, and their full names. 
Diachenko told Comparitech that the leaked data was most likely a result of illegal scraping or a hole in Facebook’s API. Scraping is against Facebook’s policies but can be easily done, especially if users have public profile settings. 
Because of this, Facebook users are advised to set their privacy settings to “Friends” and set the “Do you want search engines outside of Facebook to link to your profile?” setting to “No.” Diachenko also said to be wary of suspicious, unsolicited text messages. 
Digital Trends reached out to Facebook to comment on the leaked data and what they have done in response, and we’ll update this story once we hear back. 
It’s not the only instance this year where Facebook had privacy mishaps. As recent as last month, private data of Facebook and Twitter users were also compromised through malicious third-party Android apps. Earlier in the month, it was found that private data of thousands of Facebook group members had been compromised.
Back in September, millions of phone numbers associated with Facebook accounts were discovered in an exposed, online database. The records reportedly contained users’ Facebook IDs and the phone number associated with each person’s account. Some records even had users’ names, gender, and location. 
It is important to note that frequently changing your password and using unique passwords for different platforms are essential for online privacy and security. It’s no secret that we are bad at password management, but having better password habits can be a defense against data leaks.
Databases exposed by a criminal group leaked more than 300 million Facebook user IDs, names, and phone numbers on the web. 

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication.
Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.
The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users.
Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.
Update on March 6, 2020: A second server was exposed by what appears to be the same criminal group. The data in this server is identical to the first, plus an additional 42 million records. We’ve updated this article accordingly.

Timeline of the exposure

The database was exposed for nearly two weeks before access was removed. Here’s what we know:
  • December 4, 2019 – The database was first indexed by search engines.
  • December 12, 2019 – The data was posted as a download on a hacker forum.
  • December 14, 2019 – Diachenko discovered the database and immediately sent an abuse report to the ISP managing the IP address of the server.
  • December 19, 2019 – Access to the database was removed.
  • March 2, 2020 – A second server containing identical records plus an additional 42 million was indexed by search engine BinaryEdge.
  • March 4, 2020 – Diachenko discovered the second server and alerted the hosting provider.
  • March 4, 2020 – The server was attacked and destroyed by unknown actors.
Typically, when we find exposed personal data like this, we take steps to notify the owner of the database. But because we believe this data belongs to a criminal organization, Diachenko went straight to the parties hosting the servers and relevant IP addresses.
Shortly after Diachenko discovered the second server, it was attacked by an unknown party. The databases of personal info were replaced with dummy data and database names that read, “please_secure_your_servers”.

Exposed database prior to unknown attack.

Exposed database after unknown attack.

What data was exposed

Initially, 267,140,436 records were exposed. Most of the affected users were from the United States. Diachenko says all of them seem to be valid. Each contained:
  • A unique Facebook ID
  • A phone number
  • A full name
  • A timestamp
The server included a landing page with a login dashboard and welcome note.
Facebook IDs are unique, public numbers associated with specific accounts, which can be used to discern an account’s username and other profile info.
The second server exposed in March 2020 contained the same 267 million records as the previous one, plus an additional 42 million records. It was hosted on a US Elasticsearch server. 25 million of those records contained similar information: Facebook IDs, phone numbers, and usernames.
16.8 million of the new records contained even more info, including:
  • Facebook ID
  • Phone number
  • Profile details
  • Email addresses
  • Some other personal details

How did criminals get Facebook data?

How criminals obtained the user IDs and phone numbers isn’t entirely clear. One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018.
Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.
Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.
“Scraping” is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database. It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s–and most other social networks’–terms of service.
Many people have their Facebook profile visibility settings set to public, which makes scraping them trivial.
This isn’t the first time such a database has been exposed. In September 2019, 419 million records across several databases were exposed. These also included phone numbers and Facebook IDs.

Dangers of exposed data

A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.
Facebook users can minimize the chances of their profiles being scraped by strangers by adjusting their account privacy settings:
  1. Open Facebook and go to **Settings**
  2. Click **Privacy**
  3. Set all relevant fields to **Friends** or **Only me**
  4. Set **”Do you want search engines outside of Facebook to link to your profile** to **No**
This will reduce the chances of your profile being scraped by third parties, but the only way to ensure it never happens again is to completely deactivate or delete your Facebook account.

How and why we discovered this data

Comparitech works with Bob Diachenko to uncover unsecured databases and report them to the public. Our aim is to limit access to and abuse of personal data by malicious parties, and to raise awareness among those affected about the potential risks.
Upon discovering exposed data, Diachenko immediately notifies those responsible so the database can be shut down or secured. We then analyze the leak to identify victims, the duration of the exposure, and any potential threats victims might face.

Post a Comment


Close Menu