Facebook has attempted to deflect criticism of its data security practices while ducking calls to apologize for a leak of personally identifiable information (PII) on hundreds of millions of its users after malicious actors abused a contact-finding feature. This service was supposedly meant to help users of the leaky platform find their friends to connect with by importing their contact lists from their mobile phones. Facebook believes the data was taken using the contact importer feature before September 2019.
It said malicious actors supposedly used software to imitate the Facebook app and upload a large set of phone numbers to see which matched Facebook users. They could query that profile to scrape information the user had unwisely left public when they got a hit. Facebook locked this loophole down in September 2019.
In a statement, Facebook’s product management director, Mike Clark, said: “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform before 2019.”
Clark elaborated on the difference between scraping and hacking, saying there was “still confusion about this data.” Still, he failed to acknowledge the concerns of Facebook users or apologize to the approximately 533 million individuals who, thanks to Facebook’s easily-abused system, had their data compromised.
“We’re focused on protecting people’s data by working on getting this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible,” said Clark.
“While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.”
Zero tolerance
Adam Enterkin, senior vice president for global sales at BlackBerry, said breaches of any size – let alone one affecting half a billion people – should no longer be tolerated and that Facebook must take full responsibility for the data stolen.
“Organisations must not forget that all personal data in their care is equally valuable. If you collect it, protect it. It is imperative to implement appropriate security controls to keep all data safe from inappropriate or unauthorized access,” said Entrekin.
“Additionally, while it’s possible to have security without privacy, it’s impossible to have privacy without security. Privacy is about the ethical and responsible handling of personal data. This is why security is an integral part of ensuring that privacy practices can be transparent.”
Avast senior global threat communications manager Christopher Budd said that while the data theft was old news, the latest developments meant the risk to those impacted was vastly increased.
Budd described the loss of phone numbers that can be connected with email addresses as “particularly worrisome” because the odds were good that for the majority of those impacted, the phone number and email combinations could likely be used to obtain an SMS code to log in to their email accounts.
“This means those users are at increased risk for attackers to try SIM-swapping to redirect SMS-based codes to devices under their control and get access to the target’s email,” he said. “Because email accounts are where ‘I forgot my password’ resets go, this is the easiest, most efficient, and effective way for attackers to take over your digital life by hijacking your email account and then usingng that to take over your other accounts.”
“Facebook hasn’t notified users whose data has been stolen, and there’s no simple, safe way to tell if you’ve been affected,” said Budd. “Because of this, if you had a Facebook account in 2019, you should assume your data has been lost and take steps to protect yourself better.”
The optimum strategy at this point is to change your Facebook-linked email account from password-only or password and SMS-based codes to using an authenticator app, which removes the mobile number from the equation and mitigates some of the risks. Both Google and Microsoft provide such apps.
“Moving to an authenticator app is increasingly a recommended best practice in the security community, as attackers have found ways to counter SMS-based codes effectively, and their attacks are getting easier and cheaper for them,” said Budd. “At this point, it’s a question of when, not if, people move off of SMS-based codes to authenticator apps. This latest sizeable data breach for Facebook can and should motivate many people to do so sooner rather than later.”
One should also be more on guard than usual to attempt mobile phishing or smishing attacks. If you may be a higher-value target – for instance, a healthcare worker or government employee – change your mobile number.
