The data is now available on a hacker forum to download.
Another day, another data breach putting the privacy of hundreds of millions of Facebook users at risk. It all started with a database that stored a massive trove of personal information of more than 267 million (267,140,436) users.
The database was originally discovered on December 4th by IT security researcher Bob Diachenko who partnered with Comparitech security firm for a detailed analysis. According to researchers, the database was hosted on an Elasticsearch server and left exposed for public access without any password or security protocol.
See: Stolen: Unencrypted hard drives with data of 29,000 Facebook employees
Although the database did not contain email addresses or passwords of Facebook users, it did provide absolute access to phone numbers associated with Facebook profiles, full names, a unique ID for each account and timestamp.
According to the company’s blog post, most of the exposed data belonged to users in the United States which should not come as a surprise since 70% of the US citizens are active on Facebook which means that out of the country’s total population of 327.2 million, roughly 232.6 million people are on Facebook.
The most problematic aspect of this breach is that on December 14th Diachenko alerted the Internet Service Provider (ISP) managing the IP address of the server yet it remained exposed for almost two weeks.
Diachenko further revealed that ISP’s delayed response allowed malicious actors to access the database and publish it on a hacker forum for download.
It is unclear who owned the database and how did they get their hands on phone numbers of millions of Facebook users. But, evidence seen by Diachenko suggests the involvement of Vietnamese cybercriminals in the operation targeting Facebook API.
Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages, said Diachenko.
Anurag Kahol, CTO at Bitglass commented on the incident and told HackRead that “Social media platforms are lucrative targets for cybercriminals due to the massive amounts of personally identifiable information (PII) that they collect and store from users. In fact, the data exposed in this incident was found on a dark web forum, leaving the affected consumers highly vulnerable to targeted phishing and credential stuffing attacks, account hijacking, and more.”
“The lasting impact is unknown and a staggering 59% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This could give cybercriminals access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked,” Anurag explained.
Additionally, all companies can learn that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” Anurag advised.
This, however, is not the first time when such a massive trove of Facebook users’ data has been exposed to the public. In fact, last month, Diachenko discovered a database with 1.2 billion people’s data scraped from social media platforms including Twitter, Facebook, LinkedIn and GitHub, a Git repository hosting service.
Elasticsearch servers, on the other hand, have a history of being exposed to the public and putting personal data of unsuspecting users and businesses at risk. Earlier this year, personal information of more than 20 million Russian citizens was exposed on the Elasticsearch server.
In May this year again, personal and payment card data with CVV codes of millions of Canadians were exposed after the Elasticsearch database owned by Freedom Mobile was leaked online.
See: Unsecured database leaks phone numbers of 419 million Facebook users
In December last year, another database containing personal information of 82 million Americans was exposed online. There are several other data leak related incidents involving Elasticsearch servers which can be read here.