Explained: What’s unique about leak of 533 million Facebook accounts, how are Indian users affected, should you worry?

Explained: What’s unique about leak of 533 million Facebook accounts, how are Indian users affected, should you worry?
on Apr 12, 2021

Earlier this year, it emerged that personal information of over 533 million Facebook users from 106 countries had been leaked online. In January, Alon Gal, CTO of cyber intelligence firm Hudson Rock, first reported that a Telegram bot was being used to sell phone numbers for free. The bot was using a vulnerability in a Facebook feature which allowed phone numbers linked to every account to be accessed for free. This is not the first time that a data leak from Facebook has been reported — there have been numerous such instances in the past, with the most controversial among them in recent memory being the Cambridge Analytica scandal in 2018 when it was reported that a political consulting and strategic communications firm had collected personal information of around 87 million people through a personality quiz app that many had accessed through Facebook. So, why is this data breach making news? What is unique about it and what are the potential implications? We explain. What is the nature of the data that was compromised and how was it leaked? The leaked data comprises personal information such as names, Facebook ID, addresses, phone numbers, email addresses, names of workplaces, date of birth, date of account creation, relationship status and bio. The data set did not include any financial information or passwords. The data was obtained through scraping whereby all the information was extracted by exploiting a vulnerability in Facebook’s contact importer feature. Mike Clark, Product Management Director at Facebook, has stated in a blog post that the data was not stolen by hacking into its system but by scraping its platform. As the blog post states, scraping is a common tactic that often relies on automated software to lift public information from the internet. While scraping itself may not always be illegal, the manner in which the information was obtained in this case and later made available online was a violation of Facebook’s terms of service. In 2019, the Forbes reported that Facebook had confirmed that a newly discovered security vulnerability in Instagram’s contact imports feature let an attacker access names, phone numbers, Instagram handles and account ID numbers. Facebook had said back then that it was “already aware of the issue due to an internal finding”. The current data leak is being connected to that vulnerability, with Facebook admitting that the data dates back to two years ago. Also, it had publicly acknowledged the breach back then. Cyber researcher Dave Walker, who had first drawn attention on social media to the fact that the leaked data set also contained the personal information and phone number of Facebook CEO Mark Zuckerberg, told indianexpress.com, “It’s hard to be too forgiving towards Facebook because this issue was brought to their notice in 2017, which is two years before the data leak, when a 21-year-old Belgian security researcher demonstrated live on air to a radio station in Brussels how he could exploit a vulnerability in a Facebook feature to access the phone number of a senior politician. Facebook didn’t agree with his findings then, and said there was no tangible security failure or privacy impact.  Two years later, a user took half a billion people’s data.” What is unique about this data breach? Just the sheer number of Facebook accounts which were compromised and the amount of data which made its way online makes it one of the biggest-ever breaches of this kind. The exposed data includes personal information of over 533 million Facebook users from 106 countries, out of which there are 32 million records on users in the US and 11.5 million on users in the UK and 6 million on users in India. As many users on Reddit forums have pointed out, if the number of people affected by this breach were a country, it would be the third most populous in the world, behind China and India. Walker said, “The size and completeness of the data and the general availability of it being shared makes the present breach different from the ones in the past. We have a database of over half a billion users, which is around 20% of all Facebook users.” Several interesting pointers emerged when indianexpress.com examined the leaked data set comprising accounts of over 61 lakh Indians. While analysing the data, we found that among the metros, Delhi was the worst hit, with accounts of more than 1,55,000 being compromised. The leaked data also contained account details of over 1,36,000 people from Mumbai, over 96,000 from Kolkata, more than 39,000 from Chennai, over 48,000 from Hyderabad and around 50,000 from Bangalore. Among those in India who had been hit by the data breach, there were more than 49 lakh men and over 12.5 lakh women.  A graphical representation of the number of people from the four metro cities of India who were targetted. Troy Hunt, a security expert who runs HaveIBeenPwned, an online service for users to check if their information has been involved in a data breach, told indianexpress.com what makes the data set unique is the huge number of phone numbers that have been leaked. “Whenever there are data leaks of this nature, there are usually more email addresses. But in this case, a lot of phone numbers mapped to the Facebook account of users have been leaked. So, what you have now is like a giant global phone book which is available out there on the public domain,” he said. Where did the leaked data first become available? The massive database containing the personal information of over 500 million Facebook users was first posted on the dark web — a haven for illegal activities and stolen information ranging from the sale of data to hacking tools to drugs and weaponry—for free, enabling cybercriminals from all over the world to exploit the data to target Internet users worldwide.  A screenshot of the data available on the dark web. Initially, operators of the database allowed Telegram users to query the database in exchange for a fee, enabling the latter to view phone numbers associated with millions of Facebook accounts. However, things got much worse recently when a hacker made the entire database available on a dark web forum for free, enabling anyone with basic data skills to view the personal information of 533 million Facebook users. Dave Walker told indianexpress.com that the data was available across a couple of forums, both on the dark web and other sharing platforms. “Users of this data tend to hide their identity, particularly if they are using it for illegal activities. Across the world, the laws vary and even academic research can be impacted by this concern.  Each time the databases are sold, the value decreases as the data becomes both older and less rare. The individual that made this data available claims to have paid $10,000 and that would seem to be an accurate price, but people who had bought it earlier are likely to have paid much more,” he said. When asked as to why users tend to make such valuable data available for free, Walker said, “Users will often do this to sell it cheaply in large volume, or increase their reputation on the platforms. I’m not comfortable with directing people directly to where this data is available, but someone motivated to find it would not find this a challenge.” What can this leaked data be used for? Privacy has been the biggest casualty as a result of this leak, with personal information such as phone numbers and addresses of many people now available in the public domain. Security experts have said that the leaked data can be used for phishing attacks, sending spam over text messages, marketing calls and targeted advertising. Moreover, phone numbers being publicly available is of particular concern at a day and age when they are used widely for identity verification. Most digital services, including online payments, nowadays require phone numbers where authentication codes are sent for verification. Dave Walker said that the biggest threat is probably phishing, where accurate data can be included in the spam messages to add credibility to the attack. “As the data is well-structured, it is very easy for an attacker to consume this data in a mass phishing attack. However, many platforms use mobile phone numbers as MFA (Multi-factor authentication) or as part of account recovery. I would expect to see some abuse of this, including attempts to steal peoples phone numbers in an attempt to get access to additional accounts for individuals,” he said. “Further, there is a risk of unsolicited contact for high profile individuals, celebrities and vulnerable people. As an example, we were able to discover a number of high-profile individuals phone numbers, including the founder and CEO of Facebook himself,” he added. Agreeing with him, Mikko Hyppönen, a security expert and the Chief Research Officer at F-Secure, a global cybersecurity firm, told indianexpress.com, “The biggest damage in these cases is done to politicians, celebrities, law enforcement officers, judges and people with abusive ex-partners. People who have a valid reason to try to keep their phone numbers hidden have had it exposed, thanks to Facebook.” He added: “Facebook is assuring us that this is not that bad as your phone number was not obtained by hacking but by scraping. But for users who try to maintain an unlisted number, the distinction between hacking and scraping might not feel that important.” Mukesh Choudhary, the Chief Technical Officer associated with Jaipur Police’s cybercrime cell, said the most used modus operandi when it comes to data leaks of this nature is marketing, wherein hackers segregate the stolen data, profile them according to cities, age, sex or paying capacities and sell it to companies and even political parties. “Cybercriminals also often use this data to hit and run profiles. This means they use the phone numbers obtained from the breach as the user id or password to enter someone’s profile and then demand money in return. This is a very common occurrence in the last few years in India. Sometimes, when they come across numbers belonging to VVIPs, they sell it at a good cost,” he added. What has been Facebook’s response and what do security experts say? In the blog post, Facebook’s Mike Clark stated what has been leaked online is an old data set that was obtained through scraping in 2019. The statement read, “This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services. As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.” It added, “We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019…When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.” Even though Facebook stated that only information that was public on the platform when the scraping took place has been compromised, security experts have pointed out that even people who set their phone number visibility to private were affected by the leak. Most security experts the indianexpress.com spoke to said that with the amount of data Facebook possesses, safety will always be a big concern and a leak of this nature will not be the last. Almost confirming their fears, a fresh data set of breached Facebook accounts has now emerged online, which can be accessed through a new Telegram bot that in return for money unmasks the phone numbers of Facebook users that liked a specific Page, the Vice reported. Raj Samani, Chief Scientist at cybersecurity firm McAfee, told indianexpress.com what remains a big concern for everyone is that the leaked data of millions of users is so readily available online now. “The position of Facebook has been challenged, and their response that they found and fixed the issue is unlikely to be comfortable to the millions of people whose personal data is now accessible and could well be used by scammers. The data that has been made available are the sorts of things we cannot change easily. And that is why this data dump is of immense value to criminals,” he said. Troy Hunt agreed that even if this data is old, it is immutable — people very rarely change their addresses, phone numbers or many other details which were part of the leak. “Facebook has said the data was scrapped in violation of their terms of service. But that is not going to help. Criminals who exploited a vulnerability are not going to be bothered about a company’s terms of service. Obviously, Facebook wants you to share more and more data. And the importance of using social media to stay connected during a global pandemic cannot be understated. It’s also true that the social media giant is investing a lot of money into anti-scrapping technologies. But when you have so much data, the challenge is to keep it safe,” he said. Source: indianexpress