Facebook has attempted to deflect criticism of its data security practices while ducking calls to apologise for a leak of personally identifiable information (PII) on hundreds of millions of its users after malicious actors abused a contact-finding feature.
Facebook believes the data was taken using the contact importer feature prior to September 2019. This service was supposedly meant to help users of the leaky platform find their friends to connect with by importing their contact lists from their mobile phones.
It said that malicious actors supposedly used software to imitate the Facebook app and upload a large set of phone numbers to see which matched Facebook users. When they got a hit, they could query that profile to scrape information that the user had unwisely left public. Facebook locked this loophole down in September 2019.
In a statement, Facebook’s product management director, Mike Clark, said: “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to 2019.”
Clark went on to elaborate on the difference between scraping and hacking, saying that there was “still confusion about this data” but he failed to acknowledge the concerns of Facebook users or issue any kind of apology to the approximately 533 million individuals who, thanks to Facebook’s easily-abused system, had their data compromised.
“We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible,” said Clark.
“While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.”
Zero tolerance
Adam Enterkin, senior vice-president for global sales at BlackBerry, said breaches of any size – let alone one affecting half a billion people – should no longer be tolerated, and that Facebook must take full responsibility for the data stolen.
“Organisations must not forget that all personal data in their care is equally valuable. If you collect it, protect it. It is imperative to ensure that appropriate security controls are implemented to keep all data safe from inappropriate or unauthorised access,” said Enterkin.
“Additionally, while it’s possible to have security without privacy, it’s impossible to have privacy without security. Privacy is about the ethical and responsible handling of personal data. This is why security is an integral part of ensuring that transparency of privacy practices can be achieved.”
Avast senior global threat communications manager, Christopher Budd, said that while the data theft was old news, the latest developments meant the risk to those impacted was now vastly increased.
Budd described the loss of phone numbers that can be connected with email addresses as “particularly worrisome” because the odds were good that for the majority of those impacted, the phone number and email combinations can likely be used to obtain an SMS code to login to their email accounts.
“This means those users are at increased risk for attackers to try SIM-swapping to redirect SMS-based codes to devices under their control and get access to the target’s email,” he said. “Because email accounts are where ‘I forgot my password’ resets go, this is the easiest, most efficient and effective way for attackers to take over your digital life by first hijacking your email account and then using that to take over your other accounts.”
“Facebook hasn’t notified users whose data has been stolen and there’s no simple, safe way to tell if you’ve been affected,” said Budd. “Because of this, if you had a Facebook account in 2019, you should assume your data has been lost and take steps to better protect yourself.”
The optimum strategy at this point is to change your Facebook-linked email account from password-only or password and SMS-based codes to using an authenticator app, which removes the mobile number from the equation and mitigates some of the risk. Such apps are provided by both Google and Microsoft.
“Moving to an authenticator app is increasingly a recommended best practice in the security community, as attackers have found ways to effectively counter SMS-based codes and their attacks are getting easier and cheaper for them,” said Budd. “At this point, it’s really a question of when, not if, people move off of SMS-based codes to authenticator apps. This latest sizeable data breach for Facebook can and should be a motivation for many people to do so sooner rather than later.”
One should also be more on guard than usual to attempted mobile phishing, or smishing attacks, and if you may be a higher-value target – for instance a healthcare worker or government employee – change your mobile number.