Facebook this week published a 500-word blog post addressing the data leak of phone numbers from 533 million users. However, the company shrugs off to take responsibility or apologize for the breach, instead, it’s placing the blame on pre-2019 policies that enabled the behavior. Also note, regardless of when it was leaked, user data ‘is never really old’ – it’s still valuable to cybercriminals, analysts say.
According to Mike Clark, Facebook’s Product Management Director, the data leak traces back to a vulnerability in a contact importer tool that allowed scammers to “imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.” The tool was intended to allow Facebook users to find friends on the platform, but bad actors also took advantage of it.
“Through the previous functionality, they were able to query a set of user-profiles and obtain a limited set of information about those users included in their public profiles,” Clark wrote. “The information did not include financial information, health information, or passwords.”
Still, the people who abused the vulnerability scraped millions of profiles and dumped the info into unsecured databases. And while Facebook limited that contact importer tool in 2019, the scraped data is still floating around the web. That’s where the 20GB database containing the 533 million phone numbers (as well as Facebook IDs, people’s full names, and locations) came from. It’s now circulating within hacking circles and forums via a torrent.
Facebook assures us that it’s important that your phone number was not stolen from Facebook by hacking. It was stolen by scraping. https://t.co/yqemhrtdmw
— @mikko (@mikko) April 7, 2021
Facebook, however, does not plan on notifying affected users. And Clark’s blog post ignores the real problem: when combined with software automation, the 2019 vulnerability enabled you to plug in numerous phone numbers, and learn the identities behind them. (For example, the 20GB database circulating online even has Facebook CEO Mark Zuckerberg’s information, including what appears to be his personal phone number.)
Clark’s blog post does not acknowledge that most people don’t want their personal phone number out on the open web, let alone in the hands of scammers and cybercriminals. The company’s reticence is likely about trying to avoid regulatory scrutiny. In July 2019, the social network reached a $5 billion settlement with the US Federal Trade Commission over the Cambridge Analytica scandal and other alleged privacy violations.
Under the deal, Facebook likely should have notified the FTC about the contact importer tool vulnerability, and how it may have exposed users’ personal information, notes Ashkan Soltani, the former chief technology officer for the FTC. But whether the company did remains unclear. The FTC declined to say if it’s investigating Facebook over the data leak. But Ireland’s Data Protection Commission is demanding answers from Facebook over the data scraping.
The only solace Facebook can give to affected users is its commitment to try and take down the 20GB of data. “While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work,” Clark wrote. His blog post also suggests that users update their privacy settings.
To find out whether you were affected by the leak, don’t count on Facebook. You’ll have to use a third-party website, such as Haveibeenpwned.com.
To limit who can find you via your phone number, go to Settings & Privacy > Settings > Privacy Settings > How People Can Find and Contact You > Who can look you up using the phone number you provided? in the mobile app. Here you can choose between Everyone, Friends of Friends, Friends, and Only me.
1 Comment
Pingback: 500 Million LinkedIn Users' Data is for Sale on a Hacker Site | Innovation Village | Technology, Product Reviews, Business