Earlier this month, a huge database containing Facebook user IDs and phone numbers of 267 million members was breached and exposed, where it was then left on the web for almost two weeks before finally being removed.
According to security reasearcher Bob Diachenko, who discovered the unsecured Elasticsearch dabatase along with Comparitech, it may not have belonged to Facebook, rather a cybercriminal organization.
According to the report released December 19th, “A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.”
First annexed on the 4th of December and not noticed until 10 days later on December the 14th, the database is now thankfully unavailable. According to Diachenko, however, the data was also posted on December 12th to a hacker forum, where it was then available to download.
It’s still not clear exactly how the information was collected, although Diachenko suggests that it could have been stolen from the developer API that Facebook provides to app developers in order for them to access user data and profiles prior to it becoming restricted last year. Another possibility could be that it was all due to a glitch, which enabled the criminals to access the information despite the restrictions. Or, it could simply have just been scraped from profile pages that are publically visible.
According to the published report, “’Scraping’ is a term used to describe a process in which automated bots quickly sift through large number of web pages, copying data from each one into a database. It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s – and most other social networks’ – terms of service.”
Regardless of how it actually happened, Facebook users have been warned by the researchers to make sure that their security and privacy settings are set to private rather than public, which can help to decrease any chances of their profiles being scraped. Especially since the stolen data has also been posted to the aforementioned hacker forum and is still being held by the cybercriminals, so it could very well still be used for targeted phishing attacks or spam.
This isn’t the first time that Facebook user data has been found around the web, and unfortunately it probably also won’t be the last. As recently as September, hundreds of millions of Facebook user phone numbers was again found leaked on an open server, and just a few months prior in April two different datasets held by two app developers were found by researchers. In both of these instances, Facebook was the data source for the records.
And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.