Since April 3, 2021, several reports emerged of a trove of data belonging to Facebook users that had been leaked online for free. The data included namely mobile phone numbers but also includes names, emails, gender information, occupations, as well as several location identifiers. The stolen data first emerged on the forum in July 2020, when one member began selling the information to other members of the underground hacking forum.
The sale of data on such forums is standard practice for those stealing sensitive data from other organizations. However, this instance was notable as a lot of the information could be scraped from the public-facing user-profiles and the mobile numbers associated with accounts were private. That means they should not have been accessible in the same manner information on the public profiles is. In total the sold data included 533,313,128 Facebook users. Researchers discovered that the large majority of the stolen data sets included a private mobile number as well as a Facebook ID, a name, and the member's gender.
As to how the private data was accessed Facebook has made no effort to enlighten the infosec community or their user base. Currently, Facebook has acknowledged there was a data breach however, the messages given to the media have been inconsistent claiming that the data dates back to a data breach in 2019 and, or, the data was scraped in 2019. This still does not explain how the hacker was able to gain access to information that is private. For readers, Facebook’s response to the matter may be reminiscent of the Cambridge Analytica fiasco which dates back to October 2018. Or any of the several previous significant data breaches and the company’s questionable handling of the eventual fallout.
Facebook’s response will be the subject of many op-eds in the coming days and not the focus of this article. Returning to how the hacker may have gained access to private data, speaking to Bleeping Computer CTO of cybercrime intelligence firm Hudson Rock, believes that the hacker exploited in 2019 a now-patched vulnerability in Facebook's "Add Friend" feature that allowed them to gain access to member's phone numbers. As to whether all the stolen data was gained in this way or just the private data then later combined with scraped data is yet unknown.
The hacker who released the data initially in 2020 could have demanded as much as 30,000 USD for the information upon release. This price would have decreased over time to the point where we are at now where the data is been offered for practically free. To be more accurate the hacker wants eight of the forum's in-house credits, approximately a little over 2 USD. This is the natural life cycle of stolen data which may first be auctioned off in a private sale, then offered to the public on a forum. Over time the price naturally drops until offered for free.
Data to Supplement Attacks
Initially demanding 30,000 USD for a set of data, even one as large as this, will exclude the large majority of hackers. By offering the data for free that majority now has access to what may be only a few had. What makes this a major threat to those that had their data leaked is that they are now vulnerable to a host of different cyber-attacks including phishing attacks and mobile numbers for smishing (mobile text phishing) attacks. Such attacks are made possible by the attacker having access to just an email address.
Threat actors can also use mobile numbers and leaked info to perform SIM swap attacks to steal multi-factor authentication codes sent via SMS. It is strongly advised that Facebook users be very wary of strange emails or texts that require the recipient to click on a link. These messages may seem like a legitimate request that the recipient provides important information for security purposes. They even may redirect to an official-looking form or signup page but are attempts to steal sensitive information.
Since the release of the data became public knowledge, Troy Hunt of Have I been Pwned has been able to add the ability to the website so that mobile phone numbers can be checked to see if they have been compromised. Previously only email addresses could be entered to check if information had been comprised during the Facebook data breach as well as others. Given that in this latest instance the majority of compromised information also included a mobile number many victims, those that only had mobile numbers compromised would have passed the check.
This could potentially lead to a false sense of security. Note that when using the site and entering a mobile number it is important to enter your numbers in international format. Knowing that your data have been exposed will not prevent attacks from being carried out but does warn users to be on the lookout for phishing attempts. Forewarned is forewarned as the saying goes.
Facebook under Investigation
One of the latest bits of news to emerge from the ongoing saga is that Ireland’s Data Protection Commission (DPC) announced that it had opened investigations into the matter. The announcement states,
“A dataset, appearing to be sourced from Facebook, has appeared on a hacking website this weekend for free and contains records of 533 million individuals. A significant number of the users are EU users. Much of the data appears to have been data scraped some time ago from Facebook public profiles.
Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality. Because the scraping took place prior to GDPR, Facebook chose
not to notify this as a personal data breach under GDPR.”
According to the announcement, Facebook responded to the DPC by saying,
“……… based on our investigation to date, we believe that the information in the data-set released this weekend was publicly available and scraped prior to changes made to the platform in 2018 and 2019. As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information.”
It is not only Facebook that seems to be struggling to keep private data private. Only two days after reports began emerging regarding the Facebook data leak, a popular platform for content creators to provide adult-orientated content, OnlyFans, also suffered a breach. According to reports, it was discovered that a Google Drive was posted online containing the private videos and images from hundreds of OnlyFans accounts. The file is believed to be over 10 Gb in size and contains videos and photos belonging to 279 content creators. Speaking to Bleeping Computer, BackChannel founder Aaron DeVera, summarised potential flaws with how both the platform and users share content, noting that,
“It is not uncommon for subscribers of OnlyFans creators to share files. OnlyFans has somewhat weak content controls around their content, and there are plenty of bots and scrapers a legitimate subscriber can use. What makes this unique is that so many users were bundled in one folder…This implies that multiple contributors likely added to the cache, or that the uploader sourced the content from multiple leaks. We do not assess that the poster on RaidForums is the original uploader of the Google Drive content,”
To help content creators find out if they are a victim of the data leak, Back Channel has created a lookup tool. The tool will scan through the file to see if any content matches the content creator’s username. From there it is up to content creators to file copyright infringement claims which unfortunately can be tedious especially if the leaked content includes several videos and photos.