//Blogs - 06 April 2021

Easter's Facebook Revelations

Initial Release 2021-04-06

 

Well it has made the news that Facebook had a data leak of 533 Million of its users, including 106 Countries [1].  What better time for this to be made public than on an Easter Sunday. 

To avoid taking most of your time reading this blog, the spoiler is that the data seems to be data from 2019 [2] and that there seems to be no passwords leaked.

Although there may be a little discrepancies at the date of when the fix could have been made effective, one party stating August 2019 [2] and another stating January 2020 [3][4] it may be a reasonable conclusion to say that the data has been out there for a while already.

Now that we have a fair idea that this data has been out for a good amount of time, it would be nice to be able to find out what type of data was released.  After all, just in case that the news is now proportionately reported [3][5], and it is only now with the news articles that the security team is asked to perform some checks.

So, a data breach makes an impact when data types are associated with each other. Single types of data listed out have limited effect, but an association on two data types carries more effect than the sum of two separate lists.  Also, some data pairs, when associated, have more impact than other pairs.  For example, two data type associations such as Email Address and Password, has a deeper impact than the associations of the types, Email Address and Name.  Luckily, it seems that passwords are not in the mix of the data that is said to be available from the 533M leak. 

Of the 533 Million the association of information are: [4]

  1. Predominantly Account to Phone Number;
  2. Mostly includes Names and Gender;
  3. Many including Date of Birth, Location, Relationship Status and Employer; and
  4. 2.5 million records including Email Addresses.

In case you have to check[ 5] your account holders if they have been part of the Facebook 533 Million data records leak, the service from HaveIBeenPwned [6] may be used.

As for recommendations arising from this new old-news, there is nothing novel in the following steps:

  1. Check if the emails that you take care of are part of this breach by domain search; [7]
  2. Check if the breach is from the Facebook leaks;
    (time permitting follow through with other breach(s) if listed in the Domain Search report.)
  3. Check credential pairs, if listed but not in this case of 533M Facebook, are not active;
  4. Check it is understood the impact of other information associations have, yet keeping perspective that:
    1. Data association may be on other social media services,
    2. Further associations could be made on other social media services.
  5. Recommend settings to restrict searchability; [8]
  6. Advocate the usage of strong passwords, password managers and MFA use;
    Although not within the scope of effect of this instance of a data leak.
  7. Be aware that Phishing campaigns may increase due to this "news". [9]

Last but not least feel better that Facebook has officially discontinued API access to those fields as of 2018 [10], and in turn raise your concern should other social media API access provide these same searchability.

 

References: 

[1] 533 million Facebook users’ phone numbers leaked on hacker forum
https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/

[2] "This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019."
https://twitter.com/liz_shepherd/status/1378398417450377222

[3] "In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries"
https://twitter.com/underthebreach/status/1349674272227266563

[4] HIBP - Facebook Dataleak
https://haveibeenpwned.com/PwnedWebsites#Facebook

[5] How to check if you’re part of the Facebook data breach
https://www.theverge.com/22367727/facebook-data-breach-haveibeenpwned 

[6] HaveIBeenPwned
https://haveibeenpwned.com/

[7] Domain Search
https://haveibeenpwned.com/DomainSearch 

[8] How do I control who can look me up on Facebook using my email address or mobile phone number?
https://m.facebook.com/help/131297846947406
https://www.facebook.com/help/131297846947406

[9] Possible Phishing Campaigns Arising from Facebook's Data Leak
https://www.csa.gov.sg/singcert/advisories/ad-2021-004

[10] Facebook Graph API - User
https://developers.facebook.com/docs/graph-api/reference/user