Over 1.5B Facebook users’ personal data found for sale on hacker forum

Are you scared about the latest bad news about Facebook that private and personal data from more than 1.5 billion Facebook users was found for sale on a hacker forum? I am!

Reported by privacy research company Privacy Affairs, the data found for sale doesn't indicate that the seller actually broke into Facebook's systems, nor that its data tied to any other data breach. Instead, Privacy Affairs said that the data was allegedly obtained by scraping publicly available data shared by Facebook users. 

The fact that the data stolen and for sale is publicly available shouldn't ease anyone's fears: That data can still be used to compromise users' security and privacy. In particular, the stolen data contains names, email addresses, locations, gender, phone numbers and Facebook User ID information. Each bit of that data could clue an attacker into password challenge answers, allow them to intercept one-time login codes, phish, send scam text messages and more. 

There have been some questions as to the legitimacy of both the seller and the data, with one prospective buyer saying they paid the user but never received any data. The seller denied the accusations, but as of October 6 the post has been taken down, with a Facebook spokesperson saying the company sent a takedown request. 

While the potential for this particular set of data to be exploited may have lessened thanks to its removal from this particular forum, it's unknown if it could end up posted elsewhere or how many buyers may have already purchased some of it. There are a total of nearly three billion people on Facebook, which means that data pertaining to up to half of them could be in the hands of bad actors. 

Privacy Affairs said the data they examined from samples provided on the forums appears to be legitimate. The seller claims their group has been in operation for at least the past four years and has served more than 18,000 clients in that time. Cross-checking the data against known Facebook leaks didn't bring up any matches, which Privacy Affairs said could indicate that this is all new, but legitimate, data. 

The data exposed in this leak, if authentic, "may constitute one of the biggest and most significant Facebook data dumps to date," Privacy Affairs founder and CEO Miklos Zoltan said. 

Every bit of publicly available data can be "scraped" by a bot and stored in a database, spreadsheet or other kind of file. That's not the only tool attackers use, though: They also use Facebook quizzes like "Which character from X show are you?" in order to harvest data. 

"Every time someone enters one of these surveys or quizzes, they permit the creators of these games to view their personal Facebook information such as full name, email, phone number, location, gender and more," said Zoltan. 

Because scraping only requires data to be available, Facebook users should ensure they never set their profiles to public. It's also a good idea to go through a Facebook privacy checkup to be sure there's no errant bits of data sneaking out from places you thought were secure. 

In addition, never take Facebook quizzes or grant Facebook apps permission to access your personal information. Only use surveys, games and quizzes from known trustworthy sources. 

If your data was already scraped it may be too late, but you can lock your account down now to prevent future information from being stolen. 

In this context I am happy that the National Privacy Commission (NPC) ordered 58 local government units (LGUs) to comply with the privacy laws in their enforcement of contract tracing efforts amid recent reports of ‘smishing’ attacks. ‘Smishing’ happens when fraudsters send mobile text messages to victims, tricking them into clicking malicious websites. These sites may steal users’ personal data, introduce mobile malware, and even commit fraud.

The NPC noted that ‘smishing’ can also be present in online shopping or delivery, sending a shortened link that leads to websites asking victims to provide their personal and banking information to complete the transaction.

As such, the National Privacy Commission is telling the public to be more vigilant of cybersecurity attacks.

The Facebook personal data breach and the examples of fraud highlighted by the NPC are clear signs that we have to be much more aware of fraudsters and have to protect our personal data. Feedback is appreciated; please contact me at [email protected]