What actually happened with Facebook’s massive 533M record leak

Over the weekend, reports surfaced of an alleged data breach that affected half a billion Facebook users from 106 countries.

And while the number is staggering, the story is much more than 533 million datasets. This breach once again highlights how many systems we use are not designed to adequately protect our information from cybercriminals.

It’s also not always easy to figure out if your data has been compromised in a breach.

A few days ago, a user created a Telegram bot that allows users to query the database for a low fee, allowing anyone to find the phone number associated with a very large portion of Facebook accounts.

This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET

– Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021

What happened?

More than 500 million details of Facebook users have been published online on an underground website used by cyber criminals.

Obviously this is not a new data breach but an older one that has returned to haunt Facebook and millions of users whose data is now available to purchase online.

The data breach is believed to be related to a vulnerability that Facebook reported to have fixed in August 2019. While the exact source of the data could not be verified, it was likely collected through hacking. misuse of legitimate functions in the Facebook system.

Such abuses can occur when a seemingly innocent feature of a website is used by an attacker for undesired purposes, as was the case with the PayID attack in 2019.

---

Read more: PayID data breach shows Australian banks need to be more wary of hacks

---

In the case of Facebook, criminals can exploit Facebook’s system to obtain users’ personal information by using techniques that automate the data collection process.

This sounds familiar. In 2018, Facebook was reeling from the Cambridge Analytica scandal. This is also not a hack problem, but misuse of a perfectly legitimate function of the Facebook platform.

While initially the data was collected legally – at least according to Facebook’s rules – it was later transferred to a third party without the appropriate consent from the user.

---

Read more: We need to talk about the data we make freely available online and why it’s useful

---

Have you been targeted?

There’s no easy way to determine if your details were breached in the recent leak. If the site concerned is working in your best interest, you should at least get notified. But this is not guaranteed.

Even a tech-savvy user would be limited in finding leaked data on underground websites.

The data sold online contains a lot of important information. According to hasibeenpwned.com, most profiles include name and gender, many including date of birth, location, relationship status and employer.

Although, it was reported that only a small fraction of the stolen data contained valid email addresses (about 2.5 million records).

This is important because the user’s data would be of less value without the corresponding email address. It’s a combination of date of birth, name, phone number, and email that provides a useful starting point for identity theft and exploitation.

If you’re not sure why these details are valuable to criminals, think about how you confirm your identity over the phone with your bank or how you last reset your password on a website.

Haveibeenpwned.com creator and web security expert Troy Hunt said a secondary use for the data could be to enhance SMS-based spam and phishing attacks.

So what is the impact? For a targeted attack where you know someone’s name and country, this is great for cell phone lookups. Much harder to do because there is no trusted key; I can’t take a huge list of emails and resolve them to phone numbers because emails are rare in the data.

– Troy Hunt (@troyhunt) April 3, 2021

How to protect yourself

Given the nature of the leak, there are very few Facebook users that can actively protect themselves from this breach. Since the attack targeted Facebook’s systems, the responsibility for data security rests entirely with Facebook.

On a personal level, although you can choose to withdraw from the platform, for many people this is not a straightforward choice. That said, you can make certain changes to your social media behaviors to help reduce your risk of a data breach.

1) Ask yourself if you need to share all your information with Facebook

There are certain pieces of information that we inevitably have to lose in exchange for using Facebook, including mobile phone numbers for new accounts (ironically as a security measure). But there are a lot of details you can retain to maintain a large amount of control over your data.

2) Think about what you share

In addition to the reported leak, there are many other ways to collect user data from Facebook. If you use fake birthdays on your account, you should also avoid posting birthday party photos on the actual date. Even our seemingly innocent photos can reveal sensitive information.

3) Avoid using Facebook to log in to other websites

While the “login with Facebook” feature has the potential to save time (and reduce the number of accounts you have to maintain), it also increases your potential risk – especially if the site you’re posting to enter is not a trusted site. one. If your Facebook account is compromised, the attacker will gain automatic access to all linked websites.

4) Use a unique password

Always use a different password for each online account, even if it’s a pain. Installing a password manager would help with this (and here’s how I got over 400 different passwords). While it won’t prevent your data from being stolen, if your password for a website is leaked it will only work for that. one Location.

If you really want to get scared, you can always download a copy of all the data Facebook has about you. This is useful if you are considering leaving the platform and want a copy of your data before closing your account.

---

Read more: New evidence shows half of Australians have given up on social media at some point, but millennials are falling behind

---

This article by Paul Haskell-Dowland, Associate Dean (Computer and Security), Edith Cowan University, is republished from The Conversation under a Creative Commons license. Read the original article.

Continue reading:

Uber seeks to prevent drivers from seeing destinations – it’s a dodgy move