Overview
On December 4th, security researcher Bob Dianchenko discovered a database containing over 267 million Facebook ids, names, and phone numbers stored online with not even a password to secure the information [^1] . He and his team of researchers believe this information was gathered and posted as a part of an illegal scraping operation or Facebook API abuse. Dianchenko immediately took action and notified Facebook of the vulnerability, however, it wasn’t until 15 days later that the database was secured. Unfortunately this was not quick enough, as hackers were able to access and steal the breached data for their own financial gain.
What does this mean for me?
On December 12th, hackers posted a file containing the breached Facebook ids, names, and phone numbers of more than 267 million users for sale on an online hacking forum on the dark web. Researchers were able to verify the authenticity of the shared data and confirmed that the information stolen and posted does contain real Facebook user information. This information can now be used to send spam messages, impersonate affected users, conduct phishing scams, and launch future cyberattacks. Because of this victims need to be alert for a number of things:
Victims may have trouble signing into their accounts after a hacker has changed their password. Accountholders may notice messages and comments sent from their accounts to others that were not done by them. Victims may receive a significant amount of spam emails as their email addresses have been made public to hackers and scam artists. Spam emails received by victims may include Phishing links or Clickbait intended to bring financial gain to hackers. Cyber criminals may create clones of victims’ Facebook profiles in order to scam their friends and loved ones. Accounts where victims used the same password that they used on Facebook may be hacked.
While Mark Zuckerberg often assures users that they take appropriate security measures in safeguarding data against hackers, they have continued to hit news headlines for data breaches consistently. What is even more alarming is that the company doesn’t seem to worry about these breaches too much because they have the financial standing to pay fines associated with these breaches. In fact, they’ve set aside $3 billion just to pay off fines associated with future data breaches [^2].
How can I protect myself?
-
Change your password for Facebook and any other accounts where you used the same email address and password. When hackers gain access to your email address and password combination, they’ll try those same credentials on other popular websites and can hack into any other website where you’ve duplicated passwords.
-
Set your Facebook friends list to private. When attackers create a clone of your Facebook profile, they’ll send Friend requests to anyone they see on your friends list. When your unsuspecting friends accept that request, they are at risk of identity theft and scams. Attackers also prey on the trust and relationships that you’ve built to trick your friends into offering financial help for emergency situations.
-
Install browser protection to monitor your online accounts for signs that they have been involved in breaches and to alert you if the website you’re visiting is actually a spoofed version of a website intended to steal your data as part of a phishing attack.
-
Never accept a Facebook friend request from someone who you don’t know. If you receive a friend request from someone you’re already friends with, double check with them that the friend request was, in fact, from them and that it wasn’t sent by a hacker who cloned their profile.
