The leak of personal data from more than 533 million Facebook users was scraped from their profiles by malicious actors because of a security flaw in the company’s platform prior to September 2019, the social media giant said Tuesday.
Threat actors posted that data to a public hacker forum over the weekend, once again raising privacy concerns and putting Facebook in the middle of controversy over its protection, or lack thereof, of user data. At the time it was suspected the data had been scraped due to a bug in the Add Friend feature that was discovered in 2019.
In an attempt to set the record straight, the company confirmed in a blog post Tuesday that the leak indeed was due to a flaw in its “contact importer” that has been previously reported and already fixed by the company.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” according to the post by Mike Clark, a Facebook product management director. “This feature was designed to help people easily find their friends to connect with on our services using their contact lists.”
In his post, Clark called the leak “another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services” and said the company is confident that the issue that allowed for the data scraping “no longer exists.”
Possible Regulatory Action
No matter, Facebook still faces an investigation by some regulators in the European Union over the incident and could face fines over the incident. Ireland’s Data Protection Commission (IDPC) is the first watchdog group to say it’s looking into the matter because of its possible infringement of the General Data Protection Rule (GDPR), which mandates that companies disclose data breaches within a certain period of time or face penalties.
“A significant number” of the users affected by the breach were from the EU, according to a post on the DPC website, putting them at risk for phishing, marketing scams and other cybercriminal activity.
“Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality,” the DPC said in the post. “Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.”
Some of the data leaked over the weekend data may be from a later period, however, which could mean Facebook is in breach of the GDPR, according to the DPC.
“The DPC attempted over the weekend to establish the full facts and is continuing to do so,” according to the commission, which is working with Facebook to resolve the investigation.
Scraping Remains a Threat
The data leaked is now accessible to anyone for under $3, or essentially free, and includes Facebook user mobile phone numbers, their Facebook ID, name and gender information. About 32 million were tied to user accounts based in the United States.
The leak not only highlights ongoing privacy concerns with Facebook and other social-media companies, it also puts the common tactic of scraping and its potential dangers back in the spotlight.
Scraping is “a common attack pattern” used by threat actors to siphon public information from the internet that can then be sold online for profit and reused for malicious activity, Michael Isbitski, technical evangelist at Salt Security, told Threatpost via email on Monday.
For its part, Facebook said it will continue to crack down on the practice of “scraping data using features meant to help people,” which violates the platform’s terms, Clark said in his post. “We have teams across the company working to detect and stop these behaviors,” he wrote.
Facebook also will work toward having the most recent data set taken offline and “will continue to aggressively go after malicious actors who misuse our tools wherever possible,” Clark said.
Alon Gal, CTO at Hudson Rock, is credited for first spotting the 533 million account records. Originally, the dataset was searchable for a price, according to an ad seen on secure messaging app Telegram. Now, that same data is available on public online forums frequented by criminals for anyone to abuse, Rock noted.
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” he tweeted over the weekend.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.