An estimated 32 million, of the half-billion of Facebook account details posted online, were tied to US-based accounts.
More than 533 million Facebook users had their personal information posted to a public hacker forum, a move that is raising concerns about an uptick in cybercrime leveraging the credentials.
The publicly released Facebook user data is believed to be part of a 2019 “Add Friend” Facebook security bug exploited by hackers at the time. The flaw allowed criminals to siphon hundreds of millions of member account details from Facebook and sell them to the highest bidder on illicit online markets.
As of this weekend, the data is now accessible to anyone for under $3, or essentially free. The types of data include Facebook user mobile phone numbers, their Facebook ID, name and gender information.
Alon Gal, CTO at Hudson Rock, is credited for first spotting the 533 million account records. Originally, the dataset was searchable for a price, according to an ads seen on secure messaging app Telegram. Now, that same data is available on public online forums frequented by criminals for anyone to abuse, Rock noted.
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” he tweeted.
Facebook acknowledged the public availability of the stolen data and shared a statement with the Associated Press. “This is old data that was previously reported on in 2019…We found and fixed this issue in August 2019,” Facebook told the AP.
Leaky databases, breaches and bugs dominated Facebook in 2019. It’s unclear from Facebook’s statement what precise incident it is referring to.
In December 2019, Facebook reported a hacked database containing the names, phone numbers and Facebook user IDs of 267 million platform users. The data, according to researchers at the time, was stolen from Facebook’s developer API before the company restricted API access to phone numbers and other data in 2018.
In 2019, security researcher Bob Diachenko theorized that the data was stolen from Facebook’s developer API – used by app developers to access user profiles and connected data – before the company restricted developer access to phone numbers and other data in 2018.
Other possibilities include the fact that Facebook’s API could have a glitch, enabling criminals to access user IDs and phone numbers even after access was restricted in 2018. Another theory included that the data was scraped from publicly visible profile pages, researchers said.
Then in September 2019, an open server was discovered leaking hundreds of millions of Facebook user phone numbers. And in April 2019, researchers found two separate datasets, held by two app developers (Cultura Colectiva and At the Pool). The actual data source for the records (like account names and personal data) in these databases was Facebook.
Content Scraping Via API
Using weaknesses in application programming interfaces to harvest data has become a common practice for data brokers and hackers alike.
“Content scraping is a common attack pattern,” said Michael Isbitski, technical evangelist at Salt Security, via email. “Organizations often build or integrate APIs, without fully considering the abuse cases of the APIs.”
Isbitski said that APIs are often designed to increase adoption and grow a business by making it easy for others to build complimentary technology and systems. Data sets, in this case Facebook profile data, can also be useful in other types of automated attacks, such as brute forcing or credential stuffing to achieve account takeover, he said.
“At the very least, the data is also useful to attackers for phishing campaigns and social engineering. Organizations must protect the APIs monitoring consumption continuously in order to take such malicious activity as content scraping or authorization bypasses,” Isbitski said.
How to Check if Your Facebook Account is One of the 533M Affected
Hudson Rock’s Gal said the data he found represent users in 106 countries, with 32 million based in the United States. Each of the records contained Facebook IDs, full names, mobile phone numbers, user locations, past locations, birthdates and email addresses.
By Monday, breach notification site Have I Been Pwned began allowing people to check if any of their personal information was part of the data dump. Site publisher Troy Huntthat said via Twitter his site is currently is only allowing visitors to check their status using an email address. That, he admits, will only be so useful, given only 2.5 million out of the 533 million Facebook member records also included an email address.
Hunt said he is actively looking for ways to allow people to search the dataset via their phone number. “I’m still considering what to do with the phone numbers,” he said.