Over the weekend, a cybersecurity researcher discovered over 500 million Facebook users’ personal information available on a low-level hacking forum.
According to Business Insider, who initially reported the find, over 533 million users’ data was published to this hacking forum, including over 32 million American users. The leaked information includes full names, Facebook IDs, locations, birthdates, biographies, phone numbers, and some email addresses.
In the same article, a Facebook spokesperson reported that the data stemmed from a vulnerability closed in 2019. Alon Gal, CTO of cyber-crime intelligence firm Hudson Rock, made the initial discovery of the exposed Facebook users’ data on Saturday.
This is not Facebook’s first challenge dealing with scraped data. Indeed, the attack highlights how leaked or scraped data doesn’t just disappear after a breach; it can linger for years, continuing to create new cybersecurity problems for enterprises and users.
In fact, hackers could easily use this data for future impersonation/social engineering attacks such as spear-phishing or as a tool for cracking users’ passwords.
Commentary: Facebook Users Exposed in the Millions
Garret Grajek is CEO of YouAttest.
“What is easy to miss when we see a breach of this magnitude of a global corporation is that the hackers are NOT targeting the large brand names like Facebook. There is no question that Advance Persistent Threat (APT) hacks are devised and targeted at the ‘brass ring’ enterprises like Facebook – but we have to remember that the hackers are running scans across all of our systems.”
“To this end, we all have to be diligent that we are monitoring our system and implementing best practices. As the Cyber Kill Chain details, hackers will be executing reconnaissance on our systems and enumerating our assets. Once this occurs, the hacker will then penetrate our systems and attempt lateral movement and privilege escalation. It is in these steps where a comprehensive and updated identity governance practice can spot an attacker who is attempting to change account privileges to enable the compromised accounts to move around the enterprise, find crucial PII/PHI data, and then exfiltrate it.”
“Products and practices that can identify and then alert the enterprise about account breaches are crucial to meeting not only compliance but to achieving enterprise security.”
Saryu Nayyar (she/her) is CEO of Gurucul.
“This is a huge blow to Facebook. Leaking the personal data of 533 million Facebook users is a data breach of massive significance and consequence. The fines alone could literally cripple the company.”
“11 million of the users whose data was exposed are in the UK. Under GDPR penalties, Facebook faces a maximum fine of £17.5 million or up to 4 % of their total 2020 global turnover – whichever is higher. The UK fine alone could set Facebook back $3.4 Billion. “
“Further, over 32 million records are US users. The California Attorney General can seek civil penalties of $2,500 per violation of the CCPA (California Privacy Protection Agency). So, depending on how many of those users are in California, Facebook could be looking at additional fines in the billions.”
“All in all, a very bad situation for Facebook and as usual, completely avoidable. The data breach occurred because of a vulnerability that the company patched in 2019. Facebook obviously needs to improve the company’s maintenance processes to reduce risks from known vulnerabilities.”
Thanks to the cybersecurity experts for their time and expertise. For more, check out the Endpoint Security Buyer’s Guide.
- Best Books for Defending the Digital Perimeter - September 14, 2021
- Apple Vulnerability Places All of Apple iOS at Risk - September 14, 2021
- CrowdStrike Releases 2021 Threat Hunting Report from Falcon OverWatch - September 13, 2021