Unprotected databases are behind a leak that exposed information,
including unique identifiers and phone numbers, on more than 419 million
Facebook users – 133 million of those records belonging to users in the U.S.Security researcher Sanyam Jain, a GDI
Foundation member, discovered the databases, which were not password-protected.
The records were apparently scraped from the social media platform more than a
year ago before the company "made changes last year to remove people's
ability to find others using their phone numbers," a TechCrunch report
cited a Facebook spokesman as saying.“Think hard before giving your phone number to any social
networking business – they are in the business of aggregating and monetizing
consumer data,” warned Lucy Security CEO Colin Bastable. “And the phone number
can be used to compromise your account. Online businesses often ask for the
number “in case you need to recover access to your account.” Jonathan Bensen, CISO at Balbix, said, “Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim.”Bensen contended,”Exposed individuals
even put their employers at risk; attackers can leverage stolen numbers to
obtain unauthorized access to work email and potentially expose more data.”The exposed data is the latest in a string of privacy and
data protection missteps by Facebook, which had fallen under intense scrutiny after
it suspended Cambridge Analytica
—the data analytics firm used by the Trump and Brexit campaigns to target
voters—for violating its policies when it collected the personal data from
accounts of 50 million Americans without their permission.In
July, the Federal Trade Commission (FTC) penalized Facebook $5 billion as
punishment for what it described as deceptive privacy practices, and imposed
new restrictions on the social media giant. Facebook likewise announced that it
had agreed to the terms of the deal.Just last week the social media giant released a string of
emails related to data
scraping that discuss the its internal conversation over the possibility
that some Facebook contractors were violating the company’s terms of service
when extracting data from profiles.The
documents were released due to agreement between Facebook and the District of
Columbia attorney general’s office. Facebook originally refused the attorney
general’s request for the documents to be released as they were part of court
filings in connection with the attorney general’s lawsuit against Facebook over
the Cambridge Analytica breach. However, last week the two sides came to terms
and Facebook agreed to release redacted versions. The information contained in
these emails had already been included in court documents filed previously.But Facebook is hardly alone in
sketchy privacy practices. “Microsoft’s LinkedIn does the same thing. So many people and
organizations pay have access to data that Facebook,
Alphabet and Twitter hold, and collectively Big Tech has an atrocious record of
securing data,” Bastable noted.He pointed out that “we have just learned about Google running
secret web pages to aggregate and sell consumer data for targeted advertising,”
contending “there is no altruistic purpose in requesting or holding consumer
data – everything is for sale.”
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds