Data breach roundtable: vulnerability calls for accountability

A new data forum has published the phone numbers and personal data of hundreds of millions of Facebook users. The exposed data, published on 3rd April, includes the personal information of over 533 million Facebook users from over 100 countries, including 32 million records on users in the US, 11 million on users in the UK and 6 million on users in India. This data includes phone numbers, Facebook ID’s, full names, locations, birthdates, bios and in some cases, email addresses.

According to Alon Gal, Chief Technology Officer of Hudson Rock who discovered the leaked data, this could prove valuable to cybercriminals who use people personal information to impersonate them or scam them into handing over login credentials. “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts,” Gal stated.

Gal discovered the leaked data in January when a user in the same hacking forum advertised an automated bot that could provide phone numbers for hundreds of millions of Facebook users for a price. The data set has now been posted on the hacking forum for free, making it available to anyone with rudimentary data skills.

Commenting on this recent revelation, Sam Curry, Chief Security Officer, Cybereason, says: “When 25% of any company’s users are potentially exposed to computer fraud and identity theft there is reason for concern for their privacy. But when it becomes half a billion people in more than 100 countries and the company is Facebook, the largest social media platform in the world, users have every right to be concerned.

“This new breach involves old data from a 2019 incident that Facebook reportedly resolved, but it would be foolish to believe that previously exposed data would disappear from dark web forums, where it has been for sale for 2+ years. This isn’t the time for Facebook to play the victim and they really only have two options, hero or villain. Many see Facebook as an industry villain and their minds won’t be changed, but this is another time for Facebook to face its challenges head-on, update users on their privacy policies and continue doing everything possible to protect their data.”

Facebook vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of over 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election. Gal said that from a security standpoint there wasn’t much Facebook could do to help users affected by the breach since their data is already out in the open, but he added that Facebook could notify users so they could remain vigilant about phishing schemes or fraud using their data.

“Attackers define the rules of their attack, and increasingly they are operating just like businesses – but just like any business, there is nothing to say that they too can’t be hacked and their data stolen. When your primary asset is data, that asset is going to be valuable to more than just you,” says Tim Mackey, Principal Strategist at the Synopsys CyRC (Cybersecurity Research Centre).

“If that data is stolen from one criminal enterprise, that criminal group might not protect their data and it could easily be stolen multiple times. Effectively, data security is only as good as the weakest link. The people most interested in keeping data secure are the data owners (us) and the businesses we share our data with. We should limit the data we share to only what’s required, and hold those with whom we share our data accountable for its safe-keeping.”

Curry concludes: “In the big picture, this is just another day and another breach and once again ‘privacy’ is the victim. Whether it is one billion or one trillion users,  this is another blow to our collective privacy. Consumers should be working under the assumption that their private information has been stolen by hackers ten times over. Consumers should be regularly checking their credit for abuse and constantly checking their credit cards for unusual and unauthorised activity. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”