267M Facebook account details in unsecured database shared on hacking forum
An unsecured database with account details relating to 267 million Facebook Inc. users has been found online and has already been shared on a hacking forum.
Discovered and publicized today by security researcher Bob Diachenko, the Elasticsearch database included Facebook user IDs, phone numbers, full names and a time stamp. Where the data comes from, however, is not clear.
Diachenko speculates that the data may have been stolen from Facebook’s developer application programming interface before the company restricted access in 2018. Alternatively, the data could have simply been scraped from publicly visible profile pages. What is known is that the database itself was compiled by criminals in Vietnam based on the evidence at hand.
The database was available online for just over two weeks having been first indexed Dec. 4. The data was posted to a hacker form Dec. 12 and Diachenko discovered the database and informed the internet service provider managing the IP address of the server Dec. 14. The database was eventually taken offline today.
While the data in the database did not include passwords the data itself is still valuable as it can be utilized for phishing and spam campaigns including the use of SMS messages.
“Social media platforms are lucrative targets for cybercriminals due to the massive amounts of personally identifiable information that they collect and store from users,” Anurag Kahol, chief technology officer at cloud access security broker Bitglass Inc., told SiliconANGLE. “In fact, the data exposed in this incident was found on a dark web forum, leaving the affected consumers highly vulnerable to targeted phishing and credential stuffing attacks, account hijacking and more.”
Even without the database including passwords the problem of password reuse comes into play. “The lasting impact is unknown and a staggering 59% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated,” Kahol explained. “This could give cybercriminals access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.”
Robert Prigge, chief executive officer of identity verification company Jumio Corp., reflecting the insane level of these stories lately, said, “Yawn, another data breach. We’re all getting a bit jaded by these breaches and it’s a given that the information contained in the compromised database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end-users.”
Tens of thousands of businesses use the Facebook Login Button on their websites to validate if users are whom they claim to be Prigge added. “You can’t possibly know if a user is who they claim to be given the scope and magnitude of these breaches,” he said. “Businesses must reconsider their use of these types of identity proofing and authentication mechanisms as they’re practically worthless.”
Photo: Ben Osteen/Flickr
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.