Sunday, December 22, 2024
HomeSocial MediaFacebook data of 533 million users, including 61 lakh users from India up for...

Facebook data of 533 million users, including 61 lakh users from India up for sale on hacker forums

The hacker also mentioned that the data was scraped from Facebook in August 2019 when the social media giant suffered a large leak of private user information, thanks to a vulnerability that was later fixed.

A massive data dump of 533 million global Facebook users has been leaked and making rounds on hacker forums. As per the posts by threat actors who leaked the data, it contains user names, birthdays, phone numbers, users’ unique identifiers, emails, relationship statuses, occupation, account creation dates and more.

Post by threat actor informing details of the data dump

The hacker also mentioned that the data was scraped from Facebook in August 2019 when the social media giant suffered a large leak of private user information, thanks to a vulnerability that was later fixed. The hacker said, “In August 2019, the social media platform Facebook suffered a large leak of private user information through an exploited vulnerability which allowed for the information of 533 million of their users to be scraped and later published.” In the comments, it was mentioned that the database was up for sale for $99 on another forum in March.

In comments, it was clearly mentioned that the data dump contained information of 61,62,450 Indian users.

The dump is divided in different files country-wise. Indian file has 61,62,450 records.

Experts’ views on Data Leak

The leak was reported by several experts, including Alon Gal, CTO of Israeli cybercrime intelligence firm Hudson Rock, Troy Hunt of haveibeenpwned.com and others. Gal also reported the leak in January 2021, where he said that the leak was underreported. At that time, Gal reported that a user had created a Telegram bot that allowed users to query the database for a low fee. “This obviously has a huge impact on privacy,” he said.

On April 3, while quoting his January thread, Gal informed that the 533 million records were leaked for free. He further added that the bad actors would possibly use the information in the leaked data for scamming, hacking, social engineering and marketing.

Troy Hunt, founder at haveibeenpwned.com on April 4, wrote a long thread on the data leak. He said, in the first review, he found out that the database has extensive data set with one file per country. Though he could not find data of anyone from his family, he said, “I’m hearing from other trustworthy sources that the data is legit, and that seems a reasonable assumption to work on for now.”

Hunt added that he would extract the data, which he was expecting to be around 10 million and not hundreds of millions, as reported by the hackers. Talking about the impact of such breach and data being freely available, Hunt said, “For a targeted attack where you know someone’s name and country, it’s great for mobile phone lookup. Much harder to do en masse as there’s no reliable key; I couldn’t make a big list of emails and resolve them to phone numbers as email is rare in the data.

After parsing, Hunt found 2,529,621 email addresses in the data dump. Anyone can check if their data was leaked based on the email addresses on the website haveibeenpwned.com.

Later on April 6, in reply to the thread, he said that the phone numbers are also being uploaded on haveibeenpwned.com, making it easier for the users to check if their information got leaked. By the time this report was published, it was still under process. He added that when there is a vacuum of information, people speculate. “Facebook needs to make a clear statement on the data that’s in broad circulation; when it happened, where it came from and what’s in it. Without that, confusion and speculation reign,” he said.

Joe Tidy, Cyber Reporter for BBC, mentioned several Facebook breaches that affected more than one million users. According to his post on Twitter, in 2019 alone, there were four data breaches at Facebook affecting 600 million (March 2019), 540 million (April 2019), 419 million (September 2019), and 309 million (December 2019) users.

As there were several breaches in 2019, there was confusion over which data has been made available online. In another tweet, Tidy suggested that as per Facebook’s confirmation on the data, the available data dump was from September 2019, which was initially thought to be of 400 million users.

While talking to OpIndia, Sunny Nehra, Admin at Hacks And Security, said, “Though the data is old but downplaying the leak is not the way to go. The dump has an enormous amount of data that bad actors can use for spamming, hacking and marketing.” He further added that security in Digital space is an illusion. All applications do suffer from some or other vulnerabilities. The better they are tested, the more vulnerabilities are found. Facebook has a proper bug-hunting program where anyone who finds some valid vulnerability can report to them and get fame & financial rewards. But malicious hackers prefer to misuse it rather than reporting it.

Facebook acknowledged a vulnerability in 2019 caused by their “view as” feature, potentially exposing its 50 mln users access tokens to hackers. This or other vulnerability that can let a hacker access private info could have been used to fetch this data. Nehra added, “any data breach should not be taken lightly. When users are informed about the breach, they can take the required steps to avoid any further damage.”

Tomasz Onyszko, Founder at Predica, called it a “truly global phone book”. He said, “If it confirms and it is not a random dataset scraped from other sources, then it might be first, truly global phone book.”

Facebook trying to downplay the leak

Several Facebook executives have taken the task to downplay the leak. Liz Bourgeois, Director, Strategic Response Communications at ‎Facebook, said on Twitter that the data is old. She said, “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.” However, the executives fail to acknowledge that even though the data is from 2019, it contains phone numbers and email IDs of the users, which do not change that often.

Governments initiating probe over data leak

The data breach has sparked worldwide outrage. As per reports, so far, Turkey, Ireland and the Philippines have initiated a probe into data leak. On April 5, National Privacy Commission, Philippines, said that they are currently investigating the large scale data breach. NPC said that it is validating the information that over eight lakh Facebook accounts of Filipino netizens have been “compromised as part of the large-scale breach affecting 533 million global users of the social media networking site.”

Turkey’s Personal Data Protection Authority (KVKK) also launched a probe into the data leak. As per reports, KVKK on Monday decided to initiate an ex-officio investigation into the data leak where information of 533 million Facebook users was shared on a hacker forum.

Ireland’s Data Protection Commission (DPC) initiated the probe despite Facebook’s claim that the data is old. Graham Doyle, deputy commission, DPC, said that the data dump appears to be from the previous leak, and it happened before the EU’s GDPR privacy legislation was in effect. “However, following this weekend’s media reporting, we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019,” he added.

Phone numbers and emails are a ‘blessing’ for spammers, scammers and marketers

Assuming the number of emails and phone numbers included in the data breach is not in hundreds of millions as suggested by the hacker, the possible use of such data dump is still a huge threat to privacy. It has to be noted that phone numbers and emails are not just for sending spam messages. Here are some potential vulnerabilities you may be exposed to if your information is leaked.

  • Hackers can send link with malicious code leading to financial losses. By clicking on the malicious link in a message or email, you may grant access to your computer or phone to the hacker without realizing it. One of the main concerns is phishing emails. Nowadays, many users who are on Facebook are not well versed with technology. They often fall for phishing attacks that may lead to identity theft and financial losses. 
  • Phone numbers and emails are often sold online to marketers. These telemarketers may use your email or phone numbers to send spam emails. It does not matter if you are registered with the ‘Do Not Disturb’ service or not. In this case, the spammers will not consider the role of any government regulation.

Facebook has been facing criticism for data leak and malpractices

There have been several instances when Facebook was accused and, in some cases, fined for data breaches and malpractices. In 2019, Facebook signed a deal worth $5 billion with Federal Trade Commission after finding that the company was collecting user phone numbers on the pretext it would be used only for two-factor authentication.

During the investigation, it was found that Facebook was using the collected information for targeting Facebook users with additional advertising. At that time, FTC said, “Facebook violated the FTC Act by engaging in a new set of deceptive practices relating to the collection and use of consumer phone numbers provided by consumers to enable security features such as two-factor authentication.” After the said case, Facebook was permanently barred from using numbers gathered from two-factor authentication requests for advertising purposes.

In 2020, Canada’s independent Competition Bureau fined the tech giant with CAD 9 million penalties for improperly sharing data with third-party developers. The competition watchdog had said, “the company made false or misleading claims about the privacy of Canadians’ personal information on Facebook and (messaging app) Messenger”.

In 2019, Brazil fined Facebook $1.65 million for improperly sharing users’ data in a case linked to the global Cambridge Analytica scandal. Ministry of Justice had said that Facebook did not inform the users “about the consequences of the default privacy settings, especially in relation to the data of “friends and friends of friends.”

In February 2021, the Italian competition watchdog fined Facebook 7 million Euros for not complying with a request to correct improper commercial practices in its treatment of user data. The fine was imposed after it failed to publish the amended statement as ruled by the Italian watchdog in 2018 after it found that Facebook had not informed users properly about its collection and use of data.

At that time, the watchdog had fined Facebook with 5 million Euros and asked it to publish an amended statement on the homepage of its website for Italy, on the Facebook app, and on the personal page of each registered Italian user.

What can users do about the leaked data?

As the data leak happened around two years ago and since then the data has been sold and resold, there is nothing much you can do about it. However, there are some steps that you should take as the data is now freely available for hackers to download across the world.

  • Do not click on any link that you receive in email or SMS, especially from an unknown number or email ID.
  • If you receive an email or a message from your bank, any financial institute, any government institute, or receive an email claiming you have won some prize, prefer not to click on the links in the email or message. It will be better if you visit your bank website and check the claim that has been made in the email.
  • Inform your friends and family about the data breach. Tell them not to click any link in the messages or emails from unknown senders.
  • Prefer not to click on shortened links. It is a standard practice to save yourself from any potential hack or scam.
  • If you haven’t yet, please install a good antivirus on your computer and smart devices.
  • You can check if your information was leaked by entering your email id or phone number on https://haveibeenpwned.com/.
Join OpIndia's official WhatsApp channel

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staff
OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

Uttar Pradesh: Akeel poses as a Hindu to trap a divorced Hindu woman in Kanpur, rapes her, pressurises her for conversion

The victim told the Kanpur police that Akeel took her to several hotels and recorded obscene photos and videos of her. During that time, the victim became pregnant. When Akeel came to know about the pregnancy, he forced the victim to undergo an abortion.

Mohali building collapse: Rescue operations enter second day, FIR registered against owners

Rescue operations by the personnel of the Indian Army and NDRF continued on Sunday a day after a multi-storey under-construction building collapsed in Punjab's Mohali.
- Advertisement -