What Really Caused Facebook’s 500 Million User Data Leak?


Since Saturday, a a massive treasure trove of Facebook data has publicly released, disseminating information from approximately 533 million Facebook users on the Internet. The data includes things like profile names, Facebook ID numbers, email addresses, and phone numbers. These are all types of information that may have already been leaked or retrieved from another source, but it’s yet another resource that ties all of that data together – and ties it to each victim – featuring profiles. ordered to crooks, phishers and spammers on a silver platter.

Facebook’s initial response was simply that the data had already been reported in 2019 and the company fixed the underlying vulnerability in August of this year. Old news. But a closer look at exactly where this data came from produces a much murkier picture. In fact, the data, which first surfaced on the criminal dark web in 2019, came from a breach that Facebook did not significantly disclose at the time and was not fully acknowledged until Tuesday night. in a blog. Publish assigned to Director of Product Management Mike Clark.

One source of confusion was that Facebook had a number of breaches and exposures that this data could have come from. Was it the 540 million records – including Facebook IDs, comments, likes, and reaction data – exposed by a third party and disclosed by the security company UpGuard in April 2019? Or was it the 419 million Facebook user records, including hundreds of millions of Facebook phone numbers, names and IDs, pulled from the social network by bad actors before a Facebook policy change in 2018 , which have been publicly exposed and reported by TechCrunch in September 2019? Did it have anything to do with the Cambridge Analytica Third Party Data Sharing Scandal from 2018? Or was it somehow related to the huge Facebook data breach 2018 Who compromised the access tokens and virtually all personal data of about 30 million users?

In fact, the answer does not appear to be any of the above. As Facebook finally explained in the in-depth comments to WIRED and in its blog on Tuesday, the recently public treasure of 533 million records is an entirely different dataset that attackers created by abusing a loophole in a feature to import contacts from Facebook address book. Facebook says it fixed the vulnerability in August 2019, but it is not known how many times the bug has been exploited before. In addition to information from over 500 million Facebook users in over 106 countries, the data also contains Facebook IDs, phone numbers, and other information about early Facebook users like Mark Zuckerburg and the US Secretary. to transport Pete Buttigieg, as well as EU Data Protection Commissioner Didier Reynders. Other victims include 61 people who list the Federal Trade Commission and 651 people who list “Attorney General” in their contact details on Facebook.

You can verify if your phone number or email address has been exposed in the leak by checking the breach tracking site. HaveIBeenPwned. For the service, founder Troy Hunt reconciled and ingested two different versions of the dataset that was circulating.

“When there is an information vacuum on the part of the organization involved, everyone is speculating and there is confusion,” says Hunt.

The Facebook closest to acknowledging the source of this violation was previously a comment in a fall 2019 news article. In September, Forbes reported on a related vulnerability in Instagram’s mechanism for importing contacts. The Instagram bug revealed the names, phone numbers, Instagram handles, and account numbers of users. At the time, Facebook told the researcher who revealed the vulnerability that Facebook’s security team was “already aware of the problem due to an inside discovery.” A spokesperson said Forbes at the time, “we changed the importer of contacts on Instagram to avoid potential abuse. We are grateful to the researcher who raised this question. Forbes noted in the September 2019 article that there was no evidence that the vulnerability had been exploited, but also no evidence that it had not.

Leave a Reply

Your email address will not be published. Required fields are marked *