Over 500M Facebook account records leaked on hacking forum

Posted:
in General Discussion edited April 3
A major cache of personal data for more than 500 million Facebook users has been published on hacking forums, in one of the biggest lapses of data protection for the social network so far.

A Facebook data center in Sweden from 2016
A Facebook data center in Sweden from 2016


The database, published to a hacking forum, contains the personal data of hundreds of millions of Facebook users around the world. The data, which was discovered on Saturday, has the potential to be used for a variety of crimes, including other hacks and social engineering.

Advised to Business Insider by cybercrime research firm Hudson Rock CTO Alon Gal, the data included full names of users, as well as Facebook IDs, locations, dates of birth, biographies, phone numbers, and email addresses. A selection of records from the cache was verified against Facebook's password reset feature, and were found to be genuine.

Over 533 million users are listed in the data, covering 106 countries. Over 32 million of the records are for US-based users, with 11 million based in the UK and 6 million from India.

"A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data," said Gal.

In what could be frustrating to affected Facebook users, Gal first spotted a user of the hacking forum advertising an automated bot in January, claiming to be able to scrape the phone numbers of millions of users. It appears that the data set collected by that bot was published to the forum for free, making it available for anyone to acquire at no cost.

At this stage, Gal believes there's little Facebook can do now the data is in circulation, other than to notify users to be vigilant for phishing schemes or fraud using their personal data.

"Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook is supposed to treat the data with utmost respect," said Gal. "Users having their personal information leaked is a huge breach of trust and should be handled accordingly."

Facebook has yet to comment on the new data cache publicly.

This is far from the first major lapse in data protection for Facebook, but it is among one of the worst by the social network.

In 2018, it was revealed that analytics firm Cambridge Analytica used a quiz app to collect data on users and connected friends, partly without consent. The data was then used to build voter profiles for some 71 million Americans, and was believed to have been used in the 2016 Presidential race.

Among other fines and sanctions, Facebook settled to end a Federal Trade Commission investigation in 2019 over the matter, paying a $5 billion penalty and agreeing to new restrictions on how it handles private data. At the time, Facebook claimed it had made "large strides on privacy," and insisted it would be "more robust" in identifying, assessing, and mitigating privacy risk.

In April 2019, security researchers found multiple instances where Facebook user data was exposed publicly on Amazon cloud servers by third-party companies. In one case, a firm was openly storing 540 million Facebook records, before being shuttered by Facebook.
«1

Comments

  • Reply 1 of 25
    badmonkbadmonk Posts: 961member
    If this is true, there needs to be a major fine levied by the FTC as punishment.
    PetrolDavemacseekerAnilu_777bettyhllamawatto_cobra
  • Reply 2 of 25
    So they got my digits. BFD, I’ve already got an extended warranty on my car.
    baconstangmartinp13dewme
  • Reply 3 of 25
    coolfactorcoolfactor Posts: 1,790member

    ... claiming to be able to scrape the phone numbers of millions of users. It appears that the data set collected by that bot was published to the forum for free, making it available for anyone to acquire at no cost.

    If this bot did indeed "scrape" the information, then it wasn't a compromise of any of Facebook's systems or databases. This bot would have "built" its own database from the scraped data.

    Computers (ie. bots) can work a LOT faster than humans, so this would be the equivalent of several humans trying to manually read profiles (some are public info!) and copy the information into a centralized database. The bot just did it a lot faster and without supervision.

    if this is the case, Facebook can't be held directly responsible other than allowing the bot to do its work for an extended period of time.

    edited April 3 llama
  • Reply 4 of 25
    roakeroake Posts: 735member
    This reaffirms my believe that Facebook would have to get better to suck.
    baconstangAnilu_777GG1jony0Rayz2016longpathSkepticalwatto_cobra
  • Reply 5 of 25
    Anilu_777Anilu_777 Posts: 246member
    Are they going to have the balls to tell people that their data has been compromised? Facebook asks for phone numbers etc “to secure your account”. So how deep this this bot crawl??
    edited April 3 bettyhSkepticalwatto_cobra
  • Reply 6 of 25
    GG1GG1 Posts: 439member
    Hopefully Zuck's info was in that cache.
    sportyguy209Skepticalwatto_cobra
  • Reply 7 of 25
    BeatsBeats Posts: 1,929member
    Isn’t this the company that complained that apple was too secure?
    longpathqwerty52Andy.HardwakeSkepticaluraharawatto_cobra
  • Reply 8 of 25
    seanismorrisseanismorris Posts: 1,624member
    I wonder why my sister has been targeted by so many scam emails lately...
    Let me check her Facebook page to see if she knows.  Looks like I’d need to create an account... never mind.
    I think we all know the answer already.
    longpathwatto_cobra
  • Reply 9 of 25
    longpathlongpath Posts: 334member
    On the one hand, I’m grateful to have ceased using Facebook products, and on the other, I have to wonder how far back in time this data cache covers. I’d love to to know how I can check if my data or that if my kin was compromised.
    bettyhllamawatto_cobra
  • Reply 10 of 25
    geekmeegeekmee Posts: 452member
    I am shocked and appalled!...again.

    If there is just someway we could’ve known!...
    edited April 4 Skepticaldewmewatto_cobra
  • Reply 11 of 25
    Rayz2016Rayz2016 Posts: 6,671member

    ... claiming to be able to scrape the phone numbers of millions of users. It appears that the data set collected by that bot was published to the forum for free, making it available for anyone to acquire at no cost.

    If this bot did indeed "scrape" the information, then it wasn't a compromise of any of Facebook's systems or databases. This bot would have "built" its own database from the scraped data.

    Computers (ie. bots) can work a LOT faster than humans, so this would be the equivalent of several humans trying to manually read profiles (some are public info!) and copy the information into a centralized database. The bot just did it a lot faster and without supervision.

    if this is the case, Facebook can't be held directly responsible other than allowing the bot to do its work for an extended period of time.


    The data scraping happened due to a vulnerability that exposed personal details. Sounds like the bot  triggered the vulnerability and then scraped the data once it became exposed. (My guess is that even though the data wasn’t shown on the screen, it was still being sent in the raw HTML)

    Facebook patched bug in 2019, but not before the data breach. 

    This wasn’t a particularly sophisticated attack; I’m surprised Facebook’s systems didn’t realise a bot was running. 
    edited April 4 bettyhlongpathwatto_cobra
  • Reply 12 of 25
    bettyhbettyh Posts: 5member
    I am one of their victims from that breach or whatever they are calling it! They hacked into my old account, changed all my log in information and emails connected to it preventing me from being able to get back into my own account. They continued using my account as if they were me like nothing had happened, like they knew they couldnt get caught, and they didnt and still to this day someone is using that account as if they were me!!!! I have spent countless hours, days, weeks and months on this situation and havick it has caused me and cost me and this is the first ive heard about it in public. This happend last year after the annoncement of covid-19. Can anyone please point me in the direction for a good attorney to use to file a major lawsuit against FACEBOOK please???? Thank you
    longpathDogpersonioniclewatto_cobra
  • Reply 13 of 25
    bettyhbettyh Posts: 5member
    longpath said:
    On the one hand, I’m grateful to have ceased using Facebook products, and on the other, I have to wonder how far back in time this data cache covers. I’d love to to know how I can check if my data or that if my kin was compromised.
    Trust me, you would know
    watto_cobra
  • Reply 14 of 25
    bettyhbettyh Posts: 5member
    Rayz2016 said:

    ... claiming to be able to scrape the phone numbers of millions of users. It appears that the data set collected by that bot was published to the forum for free, making it available for anyone to acquire at no cost.

    If this bot did indeed "scrape" the information, then it wasn't a compromise of any of Facebook's systems or databases. This bot would have "built" its own database from the scraped data.

    Computers (ie. bots) can work a LOT faster than humans, so this would be the equivalent of several humans trying to manually read profiles (some are public info!) and copy the information into a centralized database. The bot just did it a lot faster and without supervision.

    if this is the case, Facebook can't be held directly responsible other than allowing the bot to do its work for an extended period of time.


    The data scraping happened due to a vulnerability that exposed personal details. Sounds like the bot  triggered the vulnerability and then scraped the data once it became exposed. (My guess is that even though the data wasn’t shown on the screen, it was still being sent in the raw HTML)

    Facebook patched bug in 2019, but not before the data breach. 

    This wasn’t a particularly sophisticated attack; I’m surprised Facebook’s systems didn’t realise a bot was running.                                                                                         
    You seem to know alot about this attack, that's a little disturbing
  • Reply 15 of 25
    bettyhbettyh Posts: 5member
    Facebook is very much responsponsible or part of it would be more accurate coming from a victim's personal experience. Can anyone recommend a good lawsuit attorney?
    longpathwatto_cobra
  • Reply 16 of 25
    bettyhbettyh Posts: 5member
    badmonk said:
    If this is true, there needs to be a major fine levied by the FTC as punishment.
    badmonk said:
    If this is true, there needs to be a major fine levied by the FTC as punishment.
    Exactly, so how do you do that? Sorry I'm new here and don't know how to use these quotes or how to reply to individual comments. 
    watto_cobra
  • Reply 17 of 25
    frantisekfrantisek Posts: 722member
    I found list of countries and respective numbers of users from those countries on Telegram accounts that are shown on twitter. I did sum and it shows 

    815 766 690 users not 533 mill.


    Albania  506598
    Algeria  2753389
    Angola  508889
    Argentina  2339552
    Australia  10335994
    Austria  1249388
    Bahrain  1717388
    Bangladesh  3816349
    Belgium  3899708
    Bolivia  2969197
    Brazil  8064910
    Cameroon  1997648
    Chile  6889072
    China (PRC)  664063
    Colombia  17957882
    Costa Rica  1249736
    Croatia  1393646
    Czech Republic  3130599
    Denmark  2138831
    Easter Island  6889072
    Egypt  46131721
    Finland  1214441
    France  22633482
    Germany  10060056
    Ghana  1027960
    Greece  617714
    Guatemala  1645058
    Hong Kong  2937834
    Hungary  3050356
    India  6162123
    Iran  1685080
    Ireland  1449379
    Israel  5840751
    Italy  35677320
    Japan  23121090
    Jordan  3101036
    Kazakhstan  3214290
    Kuwait  4085589
    Lebanon  2214542
    Libya  4841817
    Malaysia  11675715
    Mexico  13330528
    Morocco  5364973
    Netherlands  5925935
    Nigeria  11634758
    Norway  1963459
    Oman  5441140
    Palestinian Settlements  664382
    Panama  1502308
    Peru  8075289
    Philippines  899619
    Poland  4720382
    Portugal  2394787
    Qatar  3617712
    Russia  34969216
    Saudi Arabia  11406199
    Singapore  3868510
    South Africa  14323141
    Spain  17802136
    Sweden  4048322
    Switzerland  1592039
    Syria  6844650
    Taiwan  734803
    Tunisia  6392568
    Turkey  22765545
    United Arab Emirates  9406460
    United Kingdom  34637834
    United States of America & Canada  209663256
    Uruguay  1509315
    Vietnam  92321998
    Yemen  5086161
  • Reply 18 of 25
    lkrupplkrupp Posts: 8,894member
    badmonk said:
    If this is true, there needs to be a major fine levied by the FTC as punishment.
    Pffffffttt with any FTC fine. Facebook needs to be forced to pay for compensation to any user damaged by the leak. Facebook needs to pay for perpetual security monitoring  software subscriptions like credit reporting agency Equifax was forced to do when hundreds of millions of its customers were compromised. 
    watto_cobra
  • Reply 19 of 25
    frantisekfrantisek Posts: 722member
    lkrupp said:
    badmonk said:
    If this is true, there needs to be a major fine levied by the FTC as punishment.
    Pffffffttt with any FTC fine. Facebook needs to be forced to pay for compensation to any user damaged by the leak. Facebook needs to pay for perpetual security monitoring  software subscriptions like credit reporting agency Equifax was forced to do when hundreds of millions of its customers were compromised. 
    There should be insurance for companies for such situations. Not to defend Facebook but nearly no one is prone some sophisticated attack 100%. And then exactly set fines.
  • Reply 20 of 25
    elijahgelijahg Posts: 1,981member
    "Individuals signing up to a reputable company like Facebook are trusting them with their data"
    Ha yeah. "Reputable".
    Dogpersonwatto_cobra
Sign In or Register to comment.