Hacker Recycles Data on Half a Billion Facebook Users

A rich cache of data on some 533 million Facebook users was posted to a hacker forum over the weekend and is available to download for practically free. The information is from a data breach that occurred in 2019, but hasn’t been widely available until now.
The data was posted to an English-speaking cybercriminal forum called RaidForums by a hacker going by the handle TomLiner.
“The Facebook data was first listed for sale on RaidForums on June 6, 2020, but the initial sale allegedly asked users for US$30,000 in exchange for the data,” explained Ivan Righi, a cyber threat intelligence analyst with Digital Shadows, a San Francisco-based provider of digital risk protection solutions.
“TomLiner’s post exposed the data for eight forum tokens — approximately $2.52, the data has been unlocked by close to 3,800 users, generating TomLiner over $9,500.”
Michael Isbitski, a technical evangelist with Salt Security, a Palo Alto, Calif.-based provider of API security, added that at the time of that incident in 2019, Facebook indicated the data of 220 million users was scraped prior to the company restricting access in the platform to preserve users’ privacy.
“It’s plausible that this is partially the old data set resurfaced and combined with other scraped data sets since the number has now ballooned to 533 million users,” he told Techtvng.
Phone Number Flaw
In a statement provided to Techtvng by Facebook, the company said it is confident the posted information is old data that originated from a weakness in its contact importer feature that was discovered and fixed in August 2019.
At that time, it explained, the company removed people’s ability to directly find others using their phone number across both Facebook and Instagram — a function that could be exploited using sophisticated software code to imitate Facebook and provide a phone number to find which users it belonged to.
Using that software, it continued, it had been possible to input multiple phone numbers and, by running an algorithm, connect numbers to specific users.
Facebook never returned a phone number, it explained, the attacker provided the numbers by which to do the matching.
Through this process, it was possible at that time to query user profiles and obtain a limited amount of publicly available information, it added.
Playbook for ID Theft
Although the data may be old, it still has value to hackers, cybersecurity experts told #techtvng.
Admittedly, the data’s value has been diminished as a saleable asset, observed Andrew Barratt, managing principal for solutions and investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services.
“But the data is still a ready-made playbook for identity theft, impersonation, and potential Facebook account take over, which often has more far reaching consequences if Facebook accounts are used to access other sites, or services,” he said.
“Look at the number of fitness tracking systems, which log relevant healthcare data that leverage a Facebook login to get in,” he added.
Tech experts have noted that it is likely that most phone numbers are still active and remain linked to legitimate Facebook users.
“Cybercriminals can use information such as phone numbers, emails and full names to launch targeted social engineering attacks, such as phishing, vishing, or spam,” he said. “As most users are still working from home due to the pandemic, these attacks could be effective if personalized to target victims.”
“Now more than ever it is important to seriously reconsider using phone numbers as logins or sharing phone numbers with apps,” added tech expert, Setu Kulkarni, vice president for strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security.
“Switching phone numbers is inordinately more taxing than switching email IDs,” he added.
Exploiting the Pandemic
Being in the middle of a pandemic may also add value to the recycled data from the Facebook breach.
“Having access to all the data may be a golden nugget for criminals orchestrating large spam or phishing campaigns, many of which have been tailored to pandemic-themes — stimulus checks, mask politics, geographical restrictions or track and trace scenarios.
“Whether it’s more or less valuable is complex because of the general state of the global economy,” he continued.
“It might be harder to scam an individual for a higher amount of money, however it might be possible to scam a larger volume of people for smaller amounts that are ‘on trend’ from a pandemic perspective,” he explained.
A threat intelligence company in El Segundo, Calif. added that the global scope of the pandemic can be an asset to scammers armed with data from the Facebook breach.
“Every country is in different stages of grappling with their Covid-19 vaccine rollout, and cybercriminals can absolutely use this data to socially engineer vaccine misinformation.
This shows that Americans are becoming increasingly anxious to get their Covid-19 vaccine and might be an easy target for hackers.
Interpol has also issued an alert to law enforcement across 194 countries, warning them to prepare for crimes revolving around Covid-19 vaccines.
Investigators have also reported vaccine-related activities on the Dark Web.
No Stranger to Breaches
Over the years, the social network has been the target of a number of headline-grabbing data breaches.
“Facebook has been hit with data incidents from every angle,” observed Tech experts.
“It has left user data sitting on exposed servers, allowed app developers to abuse access to user accounts, and left bugs in code that hackers could exploit to steal data.
“On top of that, most Facebook profiles are public, which means third parties can scrape them using bots.
Data security and privacy was never high in the minds of the Facebook developers when they built the platform.
“On the other hand, the platform was all about monetizing the users’ data,” When you design products or platforms that start with no attention to security and privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *