News Insights: Facebook’s latest leak includes data on millions of users

 

Facebook’s latest leak includes data on millions of users (updated)

Facebook’s latest leak includes data on millions of users (updated)

They contained phone numbers and users’ names, genders and countries.

FULL ARTICLE: Facebook’s latest leak includes data on millions of users (updated)

 

NEWS INSIGHTS:

From Brian Vecci, Field CTO, Varonis

“Facebook’s business relies on collecting and exploiting consumer data and behavior, which means users need to trust that personal information and private behavior will be kept private and not exposed to attack or misuse. This particular incident shouldn’t be that worrying for any given user–the data was likely available to anyone who wanted it already. That a significant cache of private data could be compiled and stored completely exposed should be worrying for both Facebook and its users, though. It shows that Facebook probably doesn’t yet have a good handle on where all this data is, how it’s being used both internally and by partners, and where it might be exposed. It also took a third party to alert them, meaning they didn’t have the tools to identify it themselves.”

It’s not a surprise to see another major company with a misconfigured computer exposing sensitive assets to the outside world.   It’s something we see with companies on almost a daily basis. Most of the time, we identify it because this misconfiguration exposes a login portal to the outside world that allows attackers to guess the usernames and passwords of legitimate users.

 

From Matt Radolec, Head of Security Architecture and Incident Response, Varonis

“This is a scary thing for any company, especially one like Facebook with troves and troves of personal information sitting in their servers.

What I keep scratching my head at, is what is going to make these companies change? What is going to eliminate this common occurrence?  Will it be the $5 billion dollar fine levied on Facebook? Will it be CCPA? Only time will tell.

For now, companies must get laser focused on the sensitive data they process, store, and transmit. They should figure out where it is throughout their systems, understand how they are protecting it today, and where this sensitive data might not be adequately protected.  If everyone did this and made strides to improve security posture we would see fewer of these data spills over time.”

 

Erich Kron, Security Awareness Advocate, KnowBe4:

“This is an unfortunate situation where, although the issue that led to a previous data breach was fixed, the impact of the issue has continued to cause serious problems.

The data involved here can be very valuable to attackers, as it contains individuals’ unique Facebook ID and phone number. Because people often share very personal information on social media platforms, scammers can use the breach data to gain a wealth of information about the person and use that for scams. Children’s names, online friends and family, political and religious beliefs and other sensitive information is a gold mine for scammers, and now it’s tied to a phone number.

It is important for people to regularly check websites, such as Have I Been Pwned (https://haveibeenpwned.com/), to see if they are the victim of a data breach already. While this will not undo the damage the breach has already done, it can help people be aware that what they thought was private information, such as a phone number, may not be anymore. In addition, people should be careful when they allow applications or websites to access sensitive information, such as phone numbers, and avoid giving up that information unless it is really necessary.”

 

Pankaj Parekh, chief product and strategy officer at SecurityFirst:

“Over 400 million Facebook records were exposed, including phone numbers linked to Facebook accounts. It seems this data is over a year old, probably scraped before Facebook clamped down on access to users’ phone numbers, but as we know once data is on the Internet it can last forever. Users, having done nothing wrong to compromise their security, can now be subject to targeted robocalls, or worse. And they can’t recover by something as simple as changing their password – they would have to redo their Facebook account or get a different phone number – both very unappealing actions. Another example of people’s personal data being exposed by careless actions of those trusted to safeguard it.”

 

Jonathan Deveaux, head of enterprise data protection at comforte AG:

“The initial report of this data incident stating that the server “wasn’t protected with a password” doesn’t mean that the data would have been protected if a password *was* active. Password protection is basic security, and relatively simple to leave in place.  But to some hackers, passwords are just hindrances and could be bypassed if they are eager enough. When data-centric security is not in place, people are left in an awkward position to make key decisions when it comes to securing data.  Which decision was made in this case?

“The phone numbers are old, so the data doesn’t need protection.”

“Phone numbers aren’t sensitive data, so they don’t need protection.”

“The data is just for research purposes, so it doesn’t need to be protected.”

“We have so many servers; no one will find the data.”

“Someone else is responsible for data security, so they will protect the data.”

The main risk of the phone number exposure incident is the potential of spam calls, which are a huge nuisance today.  The bigger fear is what other unprotected sensitive data exists, which may be subject to the same decisions, but possibly posing a larger risk to end-users? The more sensitive data a company has, the more critical it is to protect the data.  A ‘security-first’ policy employing a data-centric approach helps ensure data is protected throughout an organization.”

 

Paul Bischoff, privacy advocate for Comparitech:

“The exposure of this database puts millions of Facebook users at risk of spam, harassment, and SIM swap fraud. The lattermost could allow an attacker to hijack a user’s account by bypassing two-factor authentication. By moving an existing phone number to a new SIM card, an attacker will receive the PIN number sent to the user’s phone via SMS when logging in.”

 

Colin Bastable, CEO of security awareness training company Lucy Security:

“Think hard before giving your phone number to any social networking business – they are in the business of aggregating and monetizing consumer data. And the phone number can be used to compromise your account. Online businesses often ask for the number “in case you need to recover access to your account.” Microsoft’s LinkedIn does the same thing. So many people and organizations pay have access to data that Facebook, Alphabet and Twitter hold, and collectively Big Tech has an atrocious record of securing data. We have just learned about Google running secret web pages to aggregate and sell consumer data for targeted advertising.  There is no altruistic purpose in requesting or holding consumer data – everything is for sale.”

Bastable references:

https://www.mirror.co.uk/tech/instagram-account-stolen-tracked-down-12941513

https://thenextweb.com/hardfork/2019/09/04/brave-google-chrome-browser-track-users-hidden-web-pages-gdpr/