Friday, September 6, 2019
An unprotected directory containing approximately 419 million Facebook user IDs and phone numbers has roiled the security community. TechCrunch reporter Zach Whittaker broke the news Sept. 4, 2019, in a post titled, “A huge database of Facebook users found online.” Whittaker and other security analysts criticize Facebook for unwittingly exposing user credentials to hackers.
“The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam,” Whittaker wrote. “But because the server wasn’t protected with a password, anyone could find and access the database.”
TechCrunch verified a sampling of records in the database by matching Facebook users’ phone numbers against Facebook IDs and password reset features, which partially reveal user phone numbers linked to their accounts. Some of the records clearly exposed usernames, genders and countries, Whittaker noted.
Facebook had little to say, other than it removed a search tool in April 2018 that enabled users to find friends by entering their phone numbers. Business Insider Nick Bastone reported Sept. 4 in “Phone numbers for as many as 220 million Facebook users were reportedly found sitting online in a file where anybody could have found them,” that Facebook attempted to minimize the damage. The company stated the data was outdated and had duplications. “[T]he dataset has been taken down and we have seen no evidence that Facebook accounts were compromised,” the social media giant added.
Erich Kron, security awareness advocate at KnowBe4, warned consumers to regularly check websites such as Have I Been Pwned [haveibeenpwned.com] to see if their data has been compromised. While this will not undo damage already caused, it can make people aware that their information is no longer private and encourage them not to share personally identifiable information unless it is really necessary, he explained.
“The data involved here can be very valuable to attackers, as it contains individuals' unique Facebook ID and phone number,” he said. “Because people often share very personal information on social media platforms, scammers can use the breach data to gain a wealth of information about the person and use that for scams. Children's names, online friends and family, political and religious beliefs and other sensitive information is a gold mine for scammers, and now it's tied to a phone number.” Michael Magrath, director global regulations and standards at OneSpan, called the latest Facebook compromise “another wakeup call for consumers,” reminding them to pay close attention to security policies of apps that store personal information.
“Too often negligence occurs where servers like Facebook’s contain massive amounts of consumer data and are left unprotected without any authentication required to gain access,” Magrath stated. “This exposes hackers to valuable credentials that can be used in widespread SIM-swapping or spam call attacks in this case. Consumers should know that email and SMS are two of the least secure authentication methods, and should look out for new, more secure MFA methods for identity verification in apps such as biometrics, to enable stronger authentication.”
Kron called for an improved security posture at Facebook, noting Facebook’s latest data breach follows an October 2018 incident affecting 15 million users. “This is an unfortunate situation where, although the issue that led to a previous data breach was fixed, the impact of the issue has continued to cause serious problems,” he stated.
An online “Facebook hack” search will reveal an abundance of tools and resources for criminals, stalkers and interested parties. In one example, “How to Hack Facebook Account and Password, Easy and Free,” Gihosoft.com tells users, “It doesn’t take much to hack a Facebook account because there are multiple freeways published by hackers online.” The website shares methods for exploiting password recovery, social engineering, man-in-the-middle and phishing attacks, stating, “If you want a readymade Facebook hacker, use the keylogger method. There are many keyloggers available online or you can also build the software on your own.”
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.