In mid-January, a security company posted on Twitter that since early 2020, a Facebook vulnerability allowed anyone to access the phone numbers of 533 million users. The profession tracked the database because food hackers – most likely after removing some skins from the data set – developed a separate bot to make the database searchable and then made it available to “strangers” via the Telegram instant messaging app after paying a small amount. This is a typical secondary use of a third for stolen data because the database loses its use value over time as people exchange passwords or phone numbers.
Since January, the situation has changed as the entire database has become available and you no longer have to pay anyone to access it.
The question arises why this could be a problem.
This list of personal data is the ideal starting point for various social engineering attacks against the user (data acquisition through psychological manipulation). From phishing attacks to SIM swaps to SIM swaps, it’s possible to take someone’s identity. Not to mention that with so much information, it’s very easy for us to believe that the real Facebook is sending us a letter to confirm our password, which the attackers are actually deceiving.
And our Facebook login details are the least. With so much information out there, it is very easy to convince an unsuspecting user to be contacted from your bank. Which may seem logical at first, because how can anyone else know so much about us?
A very large percentage of Facebook users come from an age group that has not developed a natural immune system against similar conditions, which makes them especially easy to deceive.
Facebook can’t tell the leak from this current list, which may be due to the fact that there have been quite a few major accidents in previous years:
- Early 2018: The true scale of the Cambridge Analytica scandal is hard to determine, but nearly 5,000 data points (discrete data) have been collected from 220 million Americans
- September: All personal data of nearly 30 million users was leaked.
- April: 540 million Facebook IDs, behavioral data and other posts leaked
- September: 419 million user data, including phone numbers and full names, were leaked.
Karma works, as Mark Zuckerberg himself is among the leaked users. However, the fact that the story is not very funny, is well illustrated by the fact that Pete Buttigieg, the US Secretary of Transportation, is also a victim, along with hundreds of government officials. In Europe, in addition to the Prime Minister of Luxembourg, the European Commissioner for Justice and Data Protection is also involved. They also tried to deceive the German Federal Commissioner for Data Protection and Freedom of Information with the obtained data, which is especially strange because, according to a Twitter post, he has not been a Facebook user since 2018, which also raises data management issues about what happens to our data after we delete ourselves. from Facebook. , or can we permanently delete our profile at all.
The timing of the leak is also questionable. It is not clear exactly when, according to Facebook, the incident could have occurred before September 2019, but the guesswork is complicated by the fact that cybercriminals often try to sell stolen data from various sites via a merger. This could be important because the General Data Protection Regulation (GDPR) has been in effect since May 25, 2018, in Europe, if the leak occurs later, Facebook is obligated to report for 72 hours, for which non-compliance can be punished.
In the US, Facebook has a two-year agreement with the US Federal Trade Commission that it can no longer be held responsible for leaks that occurred before June 2019. But if the leak occurs after June 2019, you can expect serious consequences in America as well.
Of particular interest is the fact that with UNHCR, its 61 staff numbers are also among the current leaks.
Be careful if you want to know if we’re on the leaked list too! In such cases, malicious hackers prefer to create fake search pages, which are often used only for further phishing. They do not search the list, but save the phone number or email address you entered to prepare for further attacks.
Unfortunately, data leakage has become a part of our daily life, as a user we cannot prevent a leak, but we can mitigate its effects, for example, by using different passwords for different services.
In addition, it is worth looking at which service provider will contact us and what they order by email or phone. Emails sent from a trusted source do not ask us to return any identifier about ourselves.
We are not solely responsible for our own security, as the information we obtain through us could be the next step in a future attack.
Time and time again, similar situations suggest that it is worth thinking all the time about what we share about ourselves on different social media platforms. It is important to think not only about the content of public publications, but also about what it is worth offering to these service companies, and how much they can be trusted.
The author is the Chief Operating Officer of KPMG’s Cyber Security Lab.
Cover Photo: Getty Images