Since Saturday, a A huge wealth of Facebook data has been disseminated publicly, with information from approximately 533 million Facebook users being spread across the internet. The data includes things like profile names, Facebook ID numbers, email addresses and phone numbers. It’s all the kind of information that may have already been leaked or pulled from another source, but it’s yet another source that ties all that data together – and links it to each victim – and presents neat profiles to scammers, phishers, and spammers on a silver plate.
Facebook’s initial response was simply that the data had been reported earlier in 2019 and that the company remedied the underlying vulnerability in August of that year. Old news. But a closer look at exactly where this data comes from reveals a much darker picture. The data, which first appeared on the criminal dark web in 2019, came from a breach that Facebook did not disclose in detail at the time and was not fully acknowledged until Tuesday night in a blog post attributed to product management director Mike Clark. .
One source of confusion was that Facebook has had a number of breaches and exposures from which this data could have come. Was it the 540 million records – including Facebook IDs, comments, likes and response data – that were revealed by a third party in April 2019 and made public by the security company UpGuard? Or was it Facebook’s 419 million user records, including hundreds of millions of phone numbers, names and Facebook IDs, scraped by bad actors of the social network before a 2018 Facebook policy change, made public and reported by TechCrunch in September 2019? Did it have anything to do with the 2018 Cambridge Analytica third-party data sharing scandal? Or was this somehow related to the massive 2018 data breach on Facebook that compromised access tokens and virtually all the personal data of about 30 million users?
In fact, the answer does not seem to be any of the above. As Facebook eventually explained in background commentary to WIRED and in its Tuesday blog, the recently public estimate of 533 million records is an entirely different dataset that attackers have exploited by exploiting a flaw in a Facebook address book contacts import feature. . Facebook says it patched the vulnerability in August 2019, but it’s unclear how many times the bug has been exploited before that. The information of more than 500 million Facebook users in more than 106 countries includes Facebook IDs, phone numbers and other information about early Facebook users such as Mark Zuckerburg and US Secretary of Transportation Pete Buttigieg, as well as the European Union’s Data Protection Commissioner , Didier Reynders. Other victims include 61 people who mention the “Federal Trade Commission” and 651 people who mention “Attorney General” in their Facebook records.
You can check if your phone number or email address was exposed in the leak by visiting the HaveIBeenPwned breach tracking site. For the service, founder Troy Hunt reconciled two different versions of the dataset floating around.
“When there is a vacuum of information from the organization involved, everyone speculates and there is confusion,” says Hunt.
Facebook came the closest to acknowledging the source of this breach, previously a comment was made in a news article in the fall of 2019. That September, Forbes reported on a related vulnerability in Instagram’s mechanism to import contacts. The Instagram bug revealed users’ names, phone numbers, Instagram handles, and account ID numbers. At the time, Facebook told the investigator who revealed the flaw that the Facebook security team “was already aware of the problem because of an internal finding.” A spokesman said Forbes “We changed the contact importer on Instagram at the time to prevent possible abuse. We are grateful to the researcher who raised this issue. ” Forbes noted in the September 2019 story that there was no evidence that the vulnerability had been exploited, but also no evidence that this was not the case.