Facebook’s Massive Data Breach Is Already Impacting You
Category
Awareness, News
Risk Level
Statistically speaking, it’s highly likely that you’re one among the 2.7 billion active Facebook users. Unfortunately, it was disclosed earlier this month that some 550 million users (just over 20%) had their personal information leaked and posted on the dark web for free. This magnitude reminds of us of the 500 million people that were impacted in the data breach at Marriott.
Oddly, Facebook initially dismissed the reports as irrelevant, citing that the data was leaked years ago so it didn’t matter now.
“What is a data breach?”
A data breach is when information is exposed to someone who should not be able to see it. While most data breaches that you hear about in the news are related to passwords or credit card information being stolen by a hacker, a data breach can also include your personal information, health information, or proprietary information from your organization. These are all things that shouldn't fall into the wrong hands.
“What is data scraping?”
Data scraping is a data aggregation technique in which a computer program extracts data points from a website or database and recompiles into a human-readable output (e.g., spreadsheet).
So here with Facebook, the malicious actors created a list of millions of publicly available phone numbers and then used Facebook’s friend finder to provide the relevant associated information.
“Ok, but what does it mean for me?”
Data breaches can be tricky because you have to understand what has been taken, and how you can protect yourself from that information being used inappropriately. For example, if the news reported that passwords had been stolen from a website, you would change your password for that website. Or, if your credit card number gets stolen, you usually report it to your credit card company and receive a new one. If you don’t take action though, this could lead to problems for you.
“What happened this time?
According to reporting first released by Business Insider, it appears that a database containing the personal information of over 550 million users was leaked. Worst yet, the information is being freely traded online and Facebook is trying to pin the blame on you, the user! How? Well, in its public statements, Facebook is acting in lock-step with its response during the Cambridge Analytica scandal in 2018, attempting to reframe the security failure as merely a breach of its terms of service.
According to Facebook’s April 6th statement, the data was obtained by scraping the platform prior to September 2019.
We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.
When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords.
Currently, the information exposed includes:
Full Name
Birthday
Address
Email
Phone number
Facebook IDs
Bios
However, there is a fear that more information types may have been stolen and this story is still developing.
“So what do I do?”
The key after a data breach is to focus on the sensitive information that was stolen, and what actions that you can take to mitigate the effects. We’ve outlined the most important ones below, and what you should do right now.
NAME / BIRTHDAY
Unfortunately, there’s not a lot you can do to protect your name or birthday if it has been stolen in a data breach. Buying services like identity theft monitoring can help, but the best way is by freezing your credit. Check out our easy to follow guide for more information
ADDRESS
Unfortunately your address isn’t virtual and you can’t just “reset it.” So what can you do? Most likely no one is going to come visit you, but they may try to use your address to apply for a new credit card.
Your email has likely become an extension of your name at this point, so how do you protect it? Unlike your name you have a few options. Changing it doesn’t make sense since you’ll have to update your family, friends, and websites with your new address. Instead, make sure you stay alert for phishing emails (emails that try to trick you into doing something bad) since your email has probably been added to a spam list and you’ll be receiving more junk email soon. If you’ve re-used your email password elsewhere, you should change it - and get a password manager while you’re at it!
PHONE NUMBER
When your phone number is stolen, two main things can happen:
First, your number usually gets added to a call list for scam calls. These are fake calls that can come from “the IRS”, “the Chinese Consulate”, “your boss”, or someone with “a great vacation offer.” While the government and telephone companies are trying to figure out how to reduce the number of calls coming through (including the fake calls from phone numbers similar to your), it’s best to not answer any call from a number you don’t know. If you do answer, be skeptical, and ask to call them back on a number you know or that you can search for online (like the phone number posted on a reputable business website).
Second, with the information stolen in this data breach, hackers potentially have enough information to conduct a “SIM jacking” attack - essentially stealing everything from your phone but remotely. We’ve talked about how to stop this on the ACT, so make sure to give our guide a quick read.
Finally, if you’re worried about staying on top of the latest data breaches, make sure to subscribe to the ACT Digest, where we’ll tell you about what’s going on in the cybersecurity world, and how you can protect yourself, your friends, your family, and your organization.