Security researchers generally believe Facebook when the social media giant says the data breach reported over the weekend was the same one addressed in 2019. But some argue that the situation showcases why Facebook must revisit how it handles and secures personal information.
According to many published reports, the personal information of some 533 million Facebook users from 106 countries were exposed. Facebook maintains that “this is old data that was previously reported on in 2019.”
Indeed, similarities in the information exposed as part of this leak to that exposed in the original Facebook leak in 2019 would imply the data set is the same, said Timothy Chiu, vice president of marketing at K2 Cyber Security.
“We have to take Facebook at their word that they fixed the vulnerability, at least until there’s a leak with different/newer information or they report otherwise,” Chiu said. “Assuming the data being released is the same – and this time for free – there’s not really anything Facebook can do at this time.”
Ivan Righi, cyber threat intelligence analyst at Digital Shadows, added that while Facebook patched the vulnerability, exploiting the flaw let cybercriminals build an extensive database with data from millions of users. Righi said it’s not a surprise that this data leak has resurfaced. Initially, the data was listed at a relatively steep price, limiting the number of threat actors who would have been able to purchase the listing. However, the breached data was probably resold multiple times since then until the price lowered enough that a user decided to publicly expose it to generate a small profit and increase reputation.
“This activity frequently happens in criminal forums,” Righi said. “While the data may be old, it still holds a lot of value to cybercriminals. It’s likely that most phone numbers are still active and remain linked to legitimate Facebook users. Cybercriminals can use information such as phone numbers, emails, and full names to launch targeted social engineering attacks, such as phishing, vishing, or spam." Also, as most users still work from home because of the pandemic, attacks could be effective if personalized to target victims, he added. Cybercriminals could send text messages impersonating companies or banks to users, for example, naming the individual within the text to add credibility and include malicious links.
Charles Herring, co-founder and chief technology officer of WitFoo, said that Facebook's business model of treating personal data as a commodity that’s farmed, then monetized results in criminal efforts to steal these highly coveted datasets. This leads to ongoing consequences, he said, including this leak of data that comes after the list of early buyers was exhausted.
“The business principles of Facebook created a data set where they controlled who they sold it to, with limited restrictions,” Herring said. “The initial breach made the data available to criminals willing to pay for it, and now it’s available to telemarketers, sales personnel, debt collectors, stalkers, conmen and the rest of the world. These practices have left the members of Facebook more vulnerable than ever.”