On April 3, a massive trove of 533 million Facebook users' personal information was publicly posted on a cybercrime forum.
The data includes details like profile names, Facebook ID numbers, dates of birth, email addresses, and phone numbers, and was obtained through the misuse of a feature before it was plugged in 2019.
Facebook, which didn't disclose the incident when it happened back then, has said it has no plans to notify users about the leak, stating "it was not confident it had full visibility on which users would need to be notified."
But how was this data collated in the first place? That's where things get murky, as the social media company has dealt with multiple privacy-invading breaches over the past few years (Cambridge Analytica anyone?) and the data could have originated from any of those incidents.
Facebook's Product Management Director Mike Clark however said the "the data in question was scraped from people's Facebook profiles by malicious actors using our contact importer prior to September 2019." Specifically, it turned out that malicious actors were able to upload a huge set of phone numbers to the tool to see which ones matched Facebook users, and then get hold of information about those users included in their public profiles.
In other words, the bug enabled attackers to link phone numbers with users' names pulled from Facebook.
While Facebook said this query abuse issue was fixed in August of that year, it's unclear how many times the bug was exploited before the patch was put in place. It's equally worth noting that the vulnerability was brought to its attention as early as 2012, then in 2017, and again in 2019, implying that Facebook had several years to fix the problem.
Complicating the matter is the lack of disclosure from the side of Facebook, which acknowledged a related vulnerability in Instagram's import contacts functionality the next month.
"There is no evidence that any user data has been exploited or abused using this vulnerability — but, then again, there is no evidence that it hasn't," Forbes' Zak Doffman wrote at that point.
But multiple reports from CNET (which Facebook also links in its statement) and TechCrunch in September 2019 point to a persistent exploitation of its search tools for mass scraping, indicating this was not an isolated case.
The Irish Data Protection Commission (DPC) said in a statement that it "received no proactive communication from Facebook" regarding the breach, but noted the company admitted to datasets acquired by large-scale scraping between June 2017 and April 2018 using its phone lookup functionality, a month before E.U. General Data Protection Regulation (GDPR) came into effect in May 2018.
The timing — "prior to September 2019" — also matters because if the breach occurred after the passage of GDPR, Facebook could be liable for fines for failing to disclose the incident to the relevant regulators within 72 hours. This may be another reason why Facebook is trying to reframe the security failure as "not hacking" but rather a violation of its terms.
The DPC is said to be currently examining if the dataset referred to is indeed the same as that reported in 2019. Russia's telecommunications watchdog, Roskomnadzor, has also asked Facebook to provide "complete information" about the leak.
What's more, in 2019, Facebook struck a $5 billion dollar settlement with the FTC after the company coerced users into providing their phone numbers which it said would be used exclusively for two-factor authentication, when in reality, Facebook was collecting the information to target users with additional advertising.
If anything, the data breach is another reminder that data once leaked will always be around, as threat actors mash different data sets pulled from multiple sources together, or sell them in chunks in an attempt to make a quick profit in various criminal forums.
Like I mentioned in my previous newsletter, phone numbers were never meant to be used as identities, but they have become increasingly ubiquitous, linking different aspects of our digital life and even playing a vital role in receiving two-factor authentication codes, thereby making them valuable to adversaries.
Facebook may be keen to shrug this off as a non-story and downplay the seriousness of the leak, but just because the data is old, it doesn't make it any less valuable, unless affected users have changed their phone numbers or email addresses. (How often do people change their phone numbers? More importantly, how can you expect people to change their numbers when you have not disclosed the breach?)
But what's worse is the company's attempts to pass the blame to its users for making the information publicly available on their profiles in the first place and failing to update the "How People Find and Contact You" control — especially considering how confusing the company's settings can get.
What’s trending in Security
🇪🇺 Multiple European Union institutions including the European Commission were hit by a significant cyber-attack last week. [Bloomberg]
💳 Global payments processor VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers. [Bleeping Computer]
⚠️ Workflow and collaboration tools like Slack and Discord have been infiltrated by threat actors, who are abusing their legitimate functions for command-and-control communications, and to deliver a variety of remote-access trojans (RATs). In a related development, researchers found that attackers are using services such as Google Forms and Telegram to obtain user data stolen during phishing attacks. [Cisco Talos / Group-IB]
🇮🇳 Malicious Android apps disguised as TikTok and offers for free Lenovo laptops are being used in a new wave of attacks underway against devices on the Jio telecom network in India. [Zscalar]
💲 The Swarmshop became the latest underground forum to be hit by hackers, who managed to steal the card shop's database of stolen payment-card data and leak it online on March 17. "The database was posted on a different underground forum and contained 12,344 records of the card shop admins, sellers and buyers including their nicknames, hashed passwords, contact details, history of activity, and current balance."
Worse, it also exposed the "compromised data traded on the website, including 623,036 payment card records issued by the banks from the USA, Canada, the UK, China, Singapore, France, Brazil, Saudi Arabia, Mexico; 498 sets of online banking account credentials and 69,592 sets of U.S. Social Security Numbers and Canadian Social Insurance Numbers." [Group-IB]
💵 Facebook ran malicious ads on its platform that masqueraded as Clubhouse app for PC users in an attempt to lure users with ransomware. [TechCrunch]
🇿🇦 A previously undocumented backdoor attributed to the Lazarus Group, dubbed Vyveva, has been found deployed in a targeted attack against a freight logistics company in South Africa. [ESET]
❌ The operators behind Ziggy ransomware called it quits, offering refunds to victims who paid ransom to the group. "We decided to return victims’ money because we fear law-enforcement action," said one of the developers to Threatpost's Becky Bracken. [Threatpost]
🌐 IoT manufacturer Ubiquiti downplayed a "catastrophic" breach in January, which gained root access to its AWS accounts and access to countless devices. The company has since all but confirmed the incident and said it has "well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure." [Brian Krebs]
🇮🇷 A threat actor known as Charming Kitten has been behind a late-2020 phishing campaign targeting senior medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel. [Proofpoint]
🇳🇱 The Netherlands Data Protection Authority fined Booking.com €475,000 for failing to notify on time a data breach in which criminals had accessed the data of 4,109 people who booked a hotel room via the website. [Autoriteit Persoonsgegevens]
🚨 COVID-19 themed phishing attacks continue to dominate the threat landscape, with the pandemic-themed lures linked to intrusion activity targeting Vietnamese entities from late 2020 through early 2021. [Domain Tools]
🛡️ Google said its open source version of the Android operating system will add support for Rust programming language in a bid to prevent memory safety bugs. [The Hacker News]
🗄️ The past two weeks in data breaches, leaks, and ransomware: Clubhouse, Fabre, LinkedIn, and Shell.
98%
In the aftermath of SolarWinds hack, threat actors are increasingly turning to the supply chain and partner ecosystem to mount a variety of attacks. According to a new research published by Proofpoint, 98% of nearly 3,000 monitored organizations across the U.S., UK, and Australia, received a threat from a supplier domain over a 7-day window in February 2021.
"While no organization is immune to threats from supplier domains, large organizations tend to be targeted more," the cybersecurity firm said. "Not only do F1000 customers receive mail from twice as many supplier domains as the average customer, and thus have greater exposure to threats from impersonated and compromised suppliers, but they are also targeted by a higher proportion of supplier domains."
And that's it. See you next week!
-Ravie