More than 533 million Facebook users had their personal information posted to a public hacker forum, a move that is raising concerns about an uptick in cybercrime leveraging the credentials.
The publicly released Facebook user data is believed to be part of a 2019 “Add Friend” Facebook security bug exploited by hackers at the time. The flaw allowed criminals to siphon hundreds of millions of member account details from Facebook and sell them to the highest bidder on illicit online markets.
As of this weekend, the data is now accessible to anyone for under $3, or essentially free. The types of data include Facebook user mobile phone numbers, their Facebook ID, name and gender information.
Alon Gal, CTO at Hudson Rock, is credited for first spotting the 533 million account records. Originally, the dataset was searchable for a price, according to an ads seen on secure messaging app Telegram. Now, that same data is available on public online forums frequented by criminals for anyone to abuse, Rock noted.
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” he tweeted.
Facebook Says: Nothing to See Here
Facebook acknowledged the public availability of the stolen data and shared a statement with the Associated Press. “This is old data that was previously reported on in 2019…We found and fixed this issue in August 2019,” Facebook told the AP.
Leaky databases, breaches and bugs dominated Facebook in 2019. It’s unclear from Facebook’s statement what precise incident it is referring to.
In December 2019, Facebook reported a hacked database containing the names, phone numbers and Facebook user IDs of 267 million platform users. The data, according to researchers at the time, was stolen from Facebook’s developer API before the company restricted API access to phone numbers and other data in 2018.
In 2019, security researcher Bob Diachenko theorized that the data was stolen from Facebook’s developer API – used by app developers to access user profiles and connected data – before the company restricted developer access to phone numbers and other data in 2018.
Other possibilities include the fact that Facebook’s API could have a glitch, enabling criminals to access user IDs and phone numbers even after access was restricted in 2018. Another theory included that the data was scraped from publicly visible profile pages, researchers said.
Then in September 2019, an open server was discovered leaking hundreds of millions of Facebook user phone numbers. And in April 2019, researchers found two separate datasets, held by two app developers (Cultura Colectiva and At the Pool). The actual data source for the records (like account names and personal data) in these databases was Facebook.
Content Scraping Via API
Using weaknesses in application programming interfaces to harvest data has become a common practice for data brokers and hackers alike.
“Content scraping is a common attack pattern,” said Michael Isbitski, technical evangelist at Salt Security, via email. “Organizations often build or integrate APIs, without fully considering the abuse cases of the APIs.”
Isbitski said that APIs are often designed to increase adoption and grow a business by making it easy for others to build complimentary technology and systems. Data sets, in this case Facebook profile data, can also be useful in other types of automated attacks, such as brute forcing or credential stuffing to achieve account takeover, he said.
“At the very least, the data is also useful to attackers for phishing campaigns and social engineering. Organizations must protect their APIs and monitor consumption continuously in order to catch such malicious activity as content scraping or authorization bypasses,” Isbitski said.
One antidote, suggests Avesta Hojjati, DigiCert’s research and development lead, is the adoption of encryption for data at rest.
“Once again, the importance of encryption of data at rest and in transit has surfaced. Today, the breach happens to impact Facebook, but tomorrow it could very well be other social media,” Hojjati said. “We simply cannot prevent vulnerabilities from compromising users’ data, but we can properly use proven solutions to eliminate the use of such compromised data.”
How to Check if Your Facebook Account is One of the 533M Affected
Hudson Rock’s Gal said the data he found represent users in 106 countries, with 32 million based in the United States. Each of the records contained Facebook IDs, full names, mobile phone numbers, user locations, past locations, birthdates and email addresses.
By Monday, breach notification site Have I Been Pwned began allowing people to check if any of their personal information was part of the data dump. Site publisher Troy Hunt that said via Twitter his site is currently is only allowing visitors to check their status using an email address. That, he admits, will only be so useful, given only 2.5 million out of the 533 million Facebook member records also included an email address.
Hunt said he is actively looking for ways to allow people to search the dataset via their phone number. “I’m still considering what to do with the phone numbers,” he said.
Update 4/6/21: In a blog post on Tuesday, Hunt said her now allows users to search via phone number.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.