You are here
Home > Data Breach > Open dark web database exposes info on 267 million Facebook

Open dark web database exposes info on 267 million Facebook

Open dark web database exposes info on 267 million Facebook
 

An unsecured database on the dark web left the
personal information of more than 267 million Facebook users, mostly in the
U.S., exposed.

Although the database, discovered by
security researcher Bob Diachenko and Comparitech and traced to Vietnam, is now
inaccessible, it laid bare names, phone numbers, timestamps and Facebook IDs
and that information also appears on a hacker forum.

“Diachenko believes the trove of data is most likely the result
of an illegal scraping operation or Facebook API abuse by criminals in Vietnam,”
Paul Bischoff, privacy advocate at Comparitech, wrote in a blog post,
noting that “the database was exposed for nearly two weeks before access was
removed.”

Pointing out that Facebook “exposed
540 million
users’ data in April after an AWS S3 bucket was left publicly
accessible,” Chris DeRamus, CTO at DivvyCloud, said “this latest incident is
alarming because the database was unprotected for nearly two weeks, allowing
threat actors more than enough time to access it and use it to launch spear
phishing attacks and commit identity theft.”

The database was indexed on December 4 and posted on a
hacker forum eight days later. Diachenko reported the discovery on December 14,
choosing to go directly to the ISP managing the server’s IP address because he
and Comparitech “believe this data belongs to a criminal organization,” Bischoff
wrote, explaining the information could be used to cull additional data and
used in SMS spam and phishing campaign.

Social media platforms like
Facebook “are lucrative targets for cybercriminals due to the massive amounts
of personally identifiable information (PII) that they collect and store from
users,” said Anurag Kahol, CTO at Bitglass.

“The lasting impact is unknown
and a staggering 59 percent of consumers admit to reusing the same
password across multiple sites, even knowing the risks associated,” said Kahol.
“This could give cybercriminals access to various accounts for the same
individual across multiple services, rendering their digital footprint incredibly
vulnerable as a result.”

Bischoff explained that “Facebook IDs are unique, public numbers
associated with specific accounts, which can be used to discern an account’s
username and other profile info.

The researchers
aren’t clear how the criminals obtained the information, speculating that it
could have been “stolen from Facebook’s developer API before the company
restricted access to phone numbers in 2018,” the post said. Developers use the
API “to add social context to their applications by accessing users’ profiles,
friends list, groups, photos, and event data,” Bischoff wrote.

Another
possibility that Diachenko floated: A security hole in the API might have
allowed criminals to grab user IDs and phone numbers even after Facebook restricted
access to those numbers.

“The same ‘move fast and break things’ mantra championed by Mark Zuckerberg in Facebook’s early days is being mimicked in enterprises globally,” said Vinay Sridhara, CTO, Balbix. “This agile approach has given developers access to data and the ability to spin up new resources on-demand. Security teams must modify their strategies to account for this dynamic new reality.”

It could be, though, “that the data was stolen without using the
Facebook API at all, and instead scraped from publicly visible profile pages,”
said Bischoff. “Many people have their Facebook profile visibility settings set
to public, which makes scraping them trivial.”

This latest compromise involving the
social media giant “is yet another wakeup call for consumers to pay close
attention to the security policies of apps storing personal information like
phone numbers and email addresses,” said Will LaSala, director of security
services and security evangelist at OneSpan. “Too often negligence occurs where
servers like Facebook’s contain massive amounts of consumer data and are left
unprotected without any authentication required to gain access.”

Businesses must reconsider using identity
proofing and authentication mechanism like the Facebook login button to
validate user identification. “Guess what. You can’t possibly know if a user is
who they claim to be given the scope and magnitude of these breaches,” said Robert Prigge, CEO of Jumio, who
called those methods “practically useless.”

The post Open dark web database exposes info on 267 million Facebook appeared first on SC Media.

Source link

Top