A rich cache of data on some 533 million Facebook users was posted to a hacker forum over the weekend and is available to download for practically free. The information is from a data breach that occurred in 2019, but hasn’t been widely available until now.
The data was posted to an English-speaking cybercriminal forum called RaidForums by a hacker going by the handle TomLiner.
“The Facebook data was first listed for sale on RaidForums on June 6, 2020, but the initial sale allegedly asked users for US$30,000 in exchange for the data,” explained Ivan Righi, a cyber threat intelligence analyst with Digital Shadows, a San Francisco-based provider of digital risk protection solutions.
“TomLiner’s post exposed the data for eight forum tokens — approximately $2.52,” he told bluehillco. “The data has been unlocked by close to 3,800 users, generating TomLiner over $9,500.”
Michael Isbitski, a technical evangelist with Salt Security, a Palo Alto, Calif.-based provider of API security, added that at the time of that incident in 2019, Facebook indicated the data of 220 million users was scraped prior to the company restricting access in the platform to preserve users’ privacy.
“It’s plausible that this is partially the old data set resurfaced and combined with other scraped data sets since the number has now ballooned to 533 million users,” he told bluehillco.
Phone Number Flaw
In a statement provided to bluehillco by Facebook, the company said it is confident the posted information is old data that originated from a weakness in its contact importer feature that was discovered and fixed in August 2019.
At that time, it explained, the company removed people’s ability to directly find others using their phone number across both Facebook and Instagram — a function that could be exploited using sophisticated software code to imitate Facebook and provide a phone number to find which users it belonged to.
Using that software, it continued, it had been possible to input multiple phone numbers and, by running an algorithm, connect numbers to specific users.
Facebook never returned a phone number, it explained, the attacker provided the numbers by which to do the matching.
Through this process, it was possible at that time to query user profiles and obtain a limited amount of publicly available information, it added.
Playbook for ID Theft
Although the data may be old, it still has value to hackers, cybersecurity experts told bluehillco.
Admittedly, the data’s value has been diminished as a saleable asset, observed Andrew Barratt, managing principal for solutions and investigations at Coalfire,a Westminster, Colo.-based provider of cybersecurity advisory services.
“But the data is still a ready-made playbook for identity theft, impersonation, and potential Facebook account take over, which often has more far reaching consequences if Facebook accounts are used to access other sites, or services,” he said.
“Look at the number of fitness tracking systems, which log relevant healthcare data that leverage a Facebook login to get in,” he added.
Righi noted that it is likely that most phone numbers are still active and remain linked to legitimate Facebook users.
“Cybercriminals can use information such as phone numbers, emails and full names to launch targeted social engineering attacks, such as phishing, vishing, or spam,” he said. “As most users are still working from home due to the pandemic, these attacks could be effective if personalized to target victims.”
“Now more than ever it is important to seriously reconsider using phone numbers as logins or sharing phone numbers with apps,” added Setu Kulkarni, vice president for strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security.
“Switching phone numbers is inordinately more taxing than switching email IDs,” he added.
Exploiting the Pandemic
Being in the middle of a pandemic may also add value to the recycled data from the Facebook breach.
“Having access to all the data may be a golden nugget for criminals orchestrating large spam or phishing campaigns, many of which have been tailored to pandemic-themes — stimulus checks, mask politics, geographical restrictions or track and trace scenarios,” observed Barratt.
“Whether it’s more or less valuable is complex because of the general state of the global economy,” he continued.
“It might be harder to scam an individual for a higher amount of money, however it might be possible to scam a larger volume of people for smaller amounts that are ‘on trend’ from a pandemic perspective,” he explained.
Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif. added that the global scope of the pandemic can be an asset to scammers armed with data from the Facebook breach.
“Every country is in different stages of grappling with their Covid-19 vaccine rollout, and cybercriminals can absolutely use this data to socially engineer vaccine misinformation,” she told bluehillco.
“I can already see the targeted phishing email headlines: Get your vaccine today — new vaccination center near you! Find out which of your neighbors have Covid-19. Choose which vaccine you get with our new app,” she described.
Daniel Markuson, digital privacy expert with NordVPN, a VPN service provider based in Nicosia, Cypress noted in a statement that his company found that vaccine-related Google searches in the United States grew by 1,900 percent since January.
“This shows that Americans are becoming increasingly anxious to get their Covid-19 vaccine and might be an easy target for hackers,” he reasoned.
Markuson added that in December, Interpol issued an alert to law enforcement across 194 countries, warning them to prepare for crimes revolving around Covid-19 vaccines.
Investigators have also reported vaccine-related activities on the Dark Web, he added.
No Stranger to Breaches
Over the years, the social network has been the target of a number of headline-grabbing data breaches.
“Facebook has been hit with data incidents from every angle,” observed Paul Bischoff, privacy advocate at Comparitech, a reviews, advice and information website for consumer security products.
“It has left user data sitting on exposed servers, allowed app developers to abuse access to user accounts, and left bugs in code that hackers could exploit to steal data,” he told bluehillco.
“On top of that, most Facebook profiles are public, which means third parties can scrape them using bots,” he said.
Data security and privacy was never high in the minds of the Facebook developers when they built the platform, maintained Purandar Das, CEO and cofounder of Sotero, a data protection company in Burlington, Mass.
“On the other hand, the platform was all about monetizing the users’ data,” he told bluehillco.
“When you design products or platforms that start with no attention to security and privacy,” he said, “it becomes very hard to go back and retrofit those capabilities.”