Breach Brief – Facebook, LinkedIn
Once again Facebook is caught handling personal data like a child splashing in a kiddie pool. Now according to Facebook it was not a hack or data breach at all. Just some aggressive hacker scraping data from its pages. I wanted to get their side of the story out there first, They have a right to explain how they see it and we will get back to that.
So heres what we know happened. According to experts at cyber-intelligence firm Hudson Rock the personal information of half a billion Facebook users has been leaked online. The data includes phone numbers, locations, birth dates, Facebook IDs, full names, and email addresses. The data was found on a website used by hackers.
Alon Gal, Chief Technology officer at Hudson Rock said the records appear to be a few years old and relate to users in 106 countries of which 32 million reside in the United States.
Now for Facebook’s argument. Andy Stone a Facebook spokesman told CNN, “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.” To which Gal pointed out that the age of the data did not preclude it from being effectively exploited by cyber-criminals and identity thieves.
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” said Gal on Twitter.
But there is slightly more to the story than that. Did Facebook really fix the issue in 2019? Not according to experts. Researchers are saying that Facebook has known of similar vulnerabilities that caused this data breach and just basically ignored the issue.
And that appears to be true according to Facebook. Director of Product Management for Facebook, Mike Clark tried to tamp down the concern about the massive breach in a blog post published to the company’s newsroom. Most shocking was that the post and additional reporting from Wired reveals a previously unreported breach of Facebook’s systems.
Clark acknowledged a report from Business Insider relating to the data of some 530 million Facebook users, but pointed out that the information was scraped and not obtained through a hack. He adds that Facebook is “confident” that it rectified the issue.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” Clark writes. “This feature was designed to help people easily find their friends to connect with on our services using their contact lists.”
And that is Facebook’s story and I am sure they will stick to it. Either way you look at it your Facebook data is again out in the wild of the internet. Tidbits of information add up and Facebook has a plenty tidbits and they seem to splash it around like water in kiddie pool.
You can check to see if your data was splashed out onto the internet by following these steps.
- Go to haveibeenpwned.com and enter your email address to see if your email has been compromised.
- If your email is shown to be part of the breach, you should change your password and enable two-factor authentication. The founder of haveibeenpwned.com is reportedly considering adding the leaked phone numbers to the database to help people determine whether their phone numbers have been leaked.
Again we have a situation where personal information seems to have escaped its handlers. And again it may not have been a hack but a scrape.
According to security news and research group CyberNews a trove of 500 million LinkedIn records were scraped from the site. The stolen LinkedIn data includes user IDs, full names, email addresses, phone numbers, professional titles, and other work-related data. Not overly sensitive information but personal enough to cause concern. More on why in a minute.
CyberNews analysts found the information in an online forum for hackers and were able to determine that the data was associated with LinkedIn user accounts. How old the data is and how it was obtained is an unanswered question at this time.
In their defense LinkedIn issued a statement saying that while the scraped data set contains some “publicly viewable member profile data,” it is “actually an aggregation of data from a number of websites and companies.” It could mean that hackers, or scrapers in this case, created the data set with information from multiple sources.
Microsoft, which owns LinkedIn say the information was almost definitely scraped and not the work of hackers penetrating their networks.
Now lets get to why the data, while not overly sensitive, could still be a problem. Now the scraped LinkedIn data did not include any credit card information or Social Security numbers. But it does include data that helps bad actors perform other sophisticated hacking attempts. An example is hackers using data like email addresses and phone numbers to conduct more convincing phishing attacks in which they send people bogus emails that look real but contain links to malicious websites. A hacker is a resourceful, intelligent, annoying and disgusting creature that cost people, companies and governments billions every year. If you see one call the cops or an exterminator.