Another day, another Facebook data breach. Sigh! The personal information of more than 500 million users from 106 countries was recently made available on a low-level hacking forum.
Facebook has said the data leak occurred years ago via a now-fixed vulnerability, though experts believe it could lead to hackers using the information to impersonate victims and commit fraud.
The major discovery was made by Alon Gal, Co-Founder and CTO at a cybercrime intelligence firm by the name of Hudson Rock.
We, at PureVPN, sat down with the man himself to get his take on the whole situation and how he came about finding it.
Question #1: Please tell our readers a little about yourself and the kind of work you do at Hudson Rock?
Alon: Thanks for having me, I’ve actually been passionate about studying cybercrime since I was 14 and have been part of forums and communities of cyber criminals in order to see the developments that take place in this fascinating environment.
My background is in intelligence in the IDF, where I served my mandatory service and proceeded additional years as a consultant tackling cybercrime threats and conducting cyber operations.
After that, I went on to co-found Hudson Rock, a cybercrime intelligence firm that monitors global malware spreading campaigns and alerts companies of compromised machines belonging to their employees which are used as an attack vector for ransomware, data breaches, and corporate espionage.
Question #2: How did you come about discovering Facebook’s latest data breach?
Alon: Maintaining relationships with cybercriminals worldwide provides me inside information into different breaches and developments. Back in the beginning of 2020, I was made aware of a cybercriminal selling 533 million Facebook accounts data, and while the original ask price for the database was around $30,000, I was able to confirm several sales took place at that time.
I began watching developments closely and reported in mid-January 2020 that one of the individuals who purchased the database had actually created a Telegram bot enabling users to query the data for a low price. The story got some media attention but did not hit mainstream attention despite my attempts to raise awareness to the privacy issue involved.
I kept monitoring the story, knowing that once a database is sold around, it always ends up being sold for a lower and lower price until it leaks for free, and that is exactly what happened in May 2021.
When the database leaked, I had already set alerts prior to that so I could be notified and reported about it as soon as it happened. People understood the importance of the breach and it received broad coverage worldwide.
Question #3: Do you have any information as to how the breach took place?
Alon: It appeared that a contact importer feature on Facebook enabled the hacker to import as many as 5000 phone numbers per API query and see results of Facebook accounts corresponding to the phone numbers queried.
Unfortunately, Facebook did not implement a proper limit on the API and did not check carefully for abuse on that feature. This led to the hacker being able to enumerate all phone numbers in the world and query them against Facebook’s database, which resulted in 533 million Facebook users being scraped off the platform.
Question #5: Why do you think Facebook chose not to notify users about it?
Alon: My personal belief is that Facebook did not want a conversation around its privacy issues. They thought that by referring to the data as “a result of scraping” and saying it’s old, would discourage people and journalists from covering the story, but the bottom line is that the personal information of 533 million individuals were leaked as result of Facebook’s negligence.
Question #6: Is there any way for Facebook users to find out if their data was leaked in the breach?
Alon: Absolutely, luckily we have great privacy advocates who rushed to provide users the ability to check whether they were involved in the leak. The notable platform that freely lets people do it is Troy Hunt’s HaveIBeenPwned.
Question #7: What does the leaked data include? How can cybercriminals take advantage of it?
Alon: Data in the leak includes phone numbers, Facebook profile IDs, names, addresses, workplaces, relationship statuses, emails, bio information and more.
This is an absolute massive trove of data for cybercriminals attempting targeted phishing attacks, where they try to create familiarity with the victim by providing accurate personal information. For example, they could send their victim a message impersonating a restaurant he frequently visits, telling him he is credited with a free coupon and get him to visit a malicious URL he would have otherwise not click.
It could also be used to perform massive phishing attempts targeting a specific group of people who mentioned the word “Bitcoin” in their profile and try to steal as much money as they can.
Other than that, you have cyber-stalking being a massive issue primarily to women and having personal phone numbers leaked is a major issue in that regard.
There are countless attacks that will likely be used by having access to this information and hackers tend to be more creative than average people, so I can already predict that they will be able to surprise us with what they would exploit the data for.
Question #8: Facebook data leaks keep happening over and over again. According to you, what’s the biggest reason?
Alon: Facebook is attempting to grow their platform as quickly as possible and this is mostly done by users being able to connect with their friends even at the cost of private information being provided to Facebook.
For instance, Facebook will immediately suggest potential friends once you import your phone’s contact list but that means you had to provide Facebook with the phones and names of all of your contacts, which could (and does) lead to massive data leaks.
Question #9: What is the best course of action if someone’s information gets leaked in a breach like this?
Alon: First of all, I suggest that Facebook changes the Facebook IDs of everyone in their platform to block the ability of hackers to query new information from their platform while cross referencing it with the phone numbers of the victims.
For users, I suggest to stay alert of suspicious text messages and be proactively paranoid when clicking URLs from sites they aren’t familiar with, which were sent to them by people they don’t personally know.
Question #10: In your opinion, which social media platform is the most secure to use?
Alon: I am a big advocate for decentralization, I’ve been told that Signal is pretty good but I don’t personally recommend any social media that is not built based on trustless technology. That means no phones, no emails, and no passwords. I hope we will see mainstream, decentralized social media in the near future!
We would like to thank Alon for agreeing to answer our questions and giving our readers some useful insights about the Facebook data leak. Go follow him on Twitter if you enjoyed this interview, he tweets at @UnderTheBreach.