A very large trove of Facebook data has circulated publicly, revealing information from roughly 533 million Facebook users which include profile names, Facebook ID numbers, email addresses, and phone numbers.
Facebook, explaining in its Tuesday blog, said that the data hack was made possible after an attacker exploited a flaw in a Facebook address book contacts import feature. The social media giant said it had patched the vulnerability in August 2019 but remains unclear as to how many times the bug was exploited before then. High profile victims of the hack included Facebook creator Mark Zuckerberg, US Transportation secretary Pete Buttigieg, and European Union Data Protection Commissioner Didier Reynders.
Data sets being sold in criminal forums are often mashed together and are recombined. However, based on Facebook’s comment in 2019, it seems that the current circulating data is different from the one in 2019 as both troves have different attributes and numbers of users affected per region.
Facebook claimed that it did not notify users about the 2019 incident because there were so many troves of semi public user data – taken from Facebook and other companies – out in the open. Attackers needed to supply phone numbers and manipulate the feature to reveal the corresponding name and other data associated for the breach to work, to which Facebook argues that it did not expose the phone numbers itself. The company is quick to draw a distinction between exploiting a weakness in a legitimate feature for mass scraping and finding a flaw in its systems to grab data from the backend.
However, for those affected, the distinction bears no difference.
The hacking of Facebook user phone numbers has been a cause of concern in the last several years and the social media giant has done a wobbly job to protect their users’ phone numbers. It fixed vulnerabilities in 2013 and 2017, and disabled a feature that allowed users to search for other people on Facebook using their phone number in 2018.
Moreover, the social media giant reached a landmark settlement with the FTC in 2019 over a massive number of data privacy failures. The $5 billion fine indemnified Facebook for all activity and data privacy failures before June 12, 2019.
You can check whether your phone number or email address were exposed in the leak by checking the breach tracking site <a href=”https://haveibeenpwned.com/”>HaveIBeenPwned</a>.
For more information, you may view the original story from Wired.com