Facebook downplays ‘old’ breach exposing info on 533 million users

Information included names, phone numbers, locations, birth dates, email addresses and other identifying details. No financial or payment information was accessed, Facebook said.

In a statement on its website Tuesday the social media giant said the information was gathered via a vulnerability the company fixed almost two years ago, and disputed that it was a hack.

Data scraped, not hacked: Facebook

“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” said product management director Mike Clark.

Scraping refers to the act of gathering information that is already out there but somewhat hidden on public databases.

The company said whoever collected and assembled the data did so by abusing the contact importing service, which allows users to find other people in their network on Facebook.

Facebook said whoever did it seems to have uploaded a large set of phone numbers to see which ones matched Facebook users.

David Masson, director of enterprise security at cybersecurity firm Darktrace, says the information has likely been out there and spread widely for a while, before being outed recently.

“It’s been on the Web for quite a while, probably for sale to people,” he said. “But now somebody’s just offered it up for free.”

Building a profile

Greg Wolfond, CEO of data security firm SecureKey, said that in a vacuum, much of the information taken can seem innocuous and harmless, but when taken together can be very dangerous.

“What the hackers do is they try and get little bits of data about you in this case something like your phone number,” he told CBC News in an interview. They can then combine that with other bits of information — an address, a full name — and start building a profile.

What’s most dangerous is once they have gathered enough to attempt to gain access to a cellphone account. With the right combination of information, a telecom company may allow someone walking in to port the account number to a new phone.

“They take over your phone, and within minutes of taking over your phone, they’re trying to get into your bank account, to get into your Facebook account, your Google account, whatever you use that phone as your recovery for,” he said.

Typically, consumers are urged to fight data theft by doing things like changing passwords frequently, and making the complex. But those things are of little use when companies claim the right to reams of data about their users, and promise to keep it safe.

“Empowering individuals to share their data and putting a responsibility on parties that have the data to keep it secure, 
is super important,” he said.

Not Facebook’s first user-info incident

Although the company is downplayed in the incident, it is far from the company’s first misstep with user info.

In 2018, the social media giant disabled a feature that allowed users to search for one another via phone number following revelations that the political firm Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or consent.

In December 2019, a Ukrainian security researcher reported finding a database with the names, phone numbers and unique user IDs of more than 267 million Facebook users — nearly all U.S.-based — on the open internet.

LISTEN | Protecting your data while working remotely:

Facebook says it will “continue aggressively go after malicious actors who misuse our tools,” and touted its dedicated team focused on this work” but  Masson says users shouldn’t make the mistake of assuming that the company’s size and scope somehow make them better equipped to keep user data safe.

“It doesn’t matter how big or sophisticated you are, they can be attacked,” he said.

Like many breaches, this one was only discovered long after the fact, and that’s because the technology company’s use isn’t keeping up with the ones the hackers are using.

“There are better technologies that actually work on what happens once the bad guys get inside your network rather than when they’re banging on the door outside. So people [have] got to realize this will happen again.