Facebook is downplaying the significance of a data breach that saw the personal information of 533 million of its users accessed online, saying the information is old and the vulnerability that was exploited was closed almost two years ago.
Over the weekend, Business Insider reported that personal information of Facebook users in 106 countries was found on a low-level hacking forum, free of charge. Cybercrime intelligence firm Hudson Rock calculated that almost 3.5 million Canadians were included.
Information included names, phone numbers, locations, birth dates, email addresses and other identifying details. No financial or payment information was accessed, Facebook said.
In a statement on its website Tuesday the social media giant said the information was gathered via a vulnerability the company fixed almost two years ago, and disputed that it was a hack.
Data scraped, not hacked: Facebook
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” said product management director Mike Clark.
Scraping refers to the act of gathering information that is already out there but somewhat hidden on public databases.
The company said whoever collected and assembled the data did so by abusing the contact importing service, which allows users to find other people in their network on Facebook.
Facebook said whoever did it seems to have uploaded a large set of phone numbers to see which ones matched Facebook users.
“This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services,” Clark said.
Impact can last years
David Masson, director of enterprise security with cybersecurity software company Darktrace, says it’s no surprise that hackers are targeting huge companies like Facebook to try to get user data, especially in the era of COVID-19 with more and more people working remotely.
The types of data collected “demonstrates the severity of these kinds of attacks,” he said.
While Facebook downplays the information stolen as being “old data,” information such as names, phone numbers and email addresses are unlikely to have changed.
“Victims can often feel the impact of such data theft years later,” Masson said.
“Ultimately, businesses need an approach to security that gives them complete visibility into their digital enterprises, that helps them understand exactly where users and data are at all times, and gives them the ability to autonomously respond to threatening activity — before the damage is done.”
Not Facebook’s first user-info incident
Although the company is downplayed in the incident, it is far from the company’s first misstep with user info.
In 2018, the social media giant disabled a feature that allowed users to search for one another via phone number following revelations that the political firm Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or consent.
In December 2019, a Ukrainian security researcher reported finding a database with the names, phone numbers and unique user IDs of more than 267 million Facebook users — nearly all U.S.-based — on the open internet.
LISTEN | Protecting your data while working remotely:
Spark15:32Digital security expert shares tips on how to protect your data while working remotely
“We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible,” Clark said.
“While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.”