The personal information of about half a billion Facebook users, including their phone numbers, have been posted to a website used by hackers, cybersecurity experts say.
If you were a Facebook user in 2019, it's possible that your information is among the millions of records posted on a website used by hackers.
Cyber intelligence firm Hudson Rock over the weekend revealed that personal information from 533 million Facebook accounts was leaked, including names, phone numbers, Facebook IDs, locations, account creation dates, birthdays, relationship statuses, bios and, in some cases, email addresses. The breach includes data from more than 32 million accounts in the United States, 11 million in the United Kingdom and 6 million in India.
Facebook said the data is from a previously reported breach that occurred in 2019.
"We found and fixed this issue in August 2019," Facebook spokesperson Andy Stone told CNN Saturday.
However, for many users, information they had on their Facebook profile in 2019, such as phone numbers and birthdays, likely hasn't changed in the past two years. And that means the data could still be useful to hackers or other bad actors.
"Although this was due to an old breach [and] this is old information, now it's out there in the public domain," said Jeff Dennis, partner and head of the privacy and data security practice at law firm Newmeyer Dillion. "Anyone who has basic search skills can now go find that database and exploit it, which was not the case when the data was originally taken."
Here's what users should know about how the leaked data could be used, and how to protect themselves.
Cyber intelligence firm Hudson Rock revealed that personal information from 533 million Facebook accounts was leaked, including names, phone numbers, Facebook IDs, locations, account creation dates, birthdays, relationship statuses, bios and, in some cases, email addresses.
How could bad actors use the data?
The news of the leak is definitely not good. But it's also not necessarily a reason to panic.
The truth is that data breaches have, unfortunately, become fairly common for a wide range of online services. So, unless you hardly ever use the internet or mobile apps, it's likely that much of your personal information is already out there where bad actors could find it.
The types of information exposed in the recent Facebook leak are also not the most useful to hackers, unlike data such as credit card information or social security numbers.
"The silver lining here is that this data is not that valuable to attackers to conduct any sort of damning attack against an entity or a person," said Vikram Thakur, technical director at Symantec, a security software firm that's now part of Broadcom. "The information is not that granular that it can somehow impact one's identity or one's personal life."
Still, there are a number of ways that bad actors could exploit the leaked information.
First thing's first: There are websites, including haveibeenpwned.com, where users can see if their email or phone number was potentially involved in the breach. The method, however, is not foolproof — and Facebook has not said whether it will alert those whose information was hacked — so users should be on the lookout for potential misuse of their data whether or not they show up on such a site.
Because the breach includes names and phone numbers, it could lead to an uptick in robocalls or text messages (which are already a huge problem). Scammers are the most obvious potential users of leaked phone number data, but technically anyone could search the database and find this info — so people may also want to be aware of the potential for other strangers to get their digits.
"It's actually very easy to search through this data ... in a few seconds, you can easily find anybody's information that you are looking for," Thakur said, though in a cache of 533 million records, if someone has a common name, finding their information could become more difficult.
The data could also be used for carrying out social engineering attacks, such as phishing. Typically, a social engineering attack involves a bad actor imitating a legitimate person or organization, including a bank, company or coworker, in order to steal data such as login credentials, credit card numbers, social security numbers and other sensitive information.
Although the Facebook breach won't necessarily lead to an increase in the volume of phishing attempts, the fact that so many different types of information on each single user is available as a result of this hack it could make them appear more credible, and thus more successful.
"It would be very hard, as a user, to see through some sort of phishing campaign when they're using information that you thought was very private to you, such as information that would be found on Facebook in your bio section," Dennis said. "Particularly, when you combine it with location information, you can see how bad guys would start to use this information in a very sinister but effective way."
How to protect yourself
The breach is a reminder that no information users share with online services can ever be absolutely guaranteed to be secure and private.
"As good as our defenses are, the bad guys are continuing to evolve faster than we can protect ourselves and faster than companies can protect the information, so you just need to be aware," Dennis said. "I wouldn't put anything on Facebook that you wouldn't want put in a public database somewhere down the line."
Affected users, and anyone whose information could have been exposed, should keep their eyes peeled for potential scams or phishing attempts.
A good rule of thumb, according to Thakur: "Only give out your information when you are the one initiating the conversation. If somebody asks you for your social security, your password, your credit card number, even your name, there is no need for you to put it in anywhere ... unless you're the one initiating the conversation or the transaction."
In other words, if you get a phone call or email from someone purporting to be from your bank, or your doctor's office, or a company you recently shopped at asking for sensitive information, do not hand it over. Hang up. Then find a trusted phone number for that place — from the back of your credit card, the doctor's website, or the official email receipt you received from the company — and give them a call to determine if the request was legitimate.
More generally, the situation is also a good reminder to take steps to preserve your data "hygiene," as experts sometimes call it, such as using different passwords for each website, changing passwords frequently and using two-factor authentication.
15 ways we give social media companies personal data
15 ways we give social media companies personal data
In 2020, many internet users were savvier than ever about what they shared or didn’t share, but modern life almost requires engaging with social media in some way. How is personal data given to these sites, and how can that be utilized against users? To find the answer, Stacker compiled a list of 15 ways data is revealed to social media companies. This includes information from sites like the Electronic Frontier Foundation and Norton, as well as news reports from Buzzfeed and more. What these insights show is that everything done online—from what is clicked on to how long a page is looked at—is valuable to people who are selling that data.
Protecting privacy online is an ongoing challenge, and the goal posts are constantly moving as marketers grow more and more proficient in avoiding the obvious things consumers are aware of when visiting sites. That includes going past explicit location data, for example, and gathering up location footprints by using the things around users instead. It also includes setting up bots that scrub publicly available information to build profiles of users as potential customers. Any free service or app used is turned into a profile that can be sold to someone, whether directly or through customized advertising.
Read on for some of the most common ways that social networking companies gather and sell users’ data to the highest bidder. The only way to completely opt out of this system is to stop using almost everything that relies on the internet, which some people can manage to do. But for the rest of us, simply being aware of how our data is being bought and sold can show us ways to keep that data to ourselves as much as possible. Forewarned is forearmed.
You may also like: 10 most common items polluting the ocean
Personal data for the taking
Broadly speaking, any website that is free to use is selling your participation as its product. That includes personal data such as names, birthdates, locations, IP addresses, gender, and device IDs, as well as more abstract info such as hobbies and interests.
What gets you engaged sells
How you use free social media websites gives their makers a great deal of data about what is working and what isn’t, and they can sell that data as “consultants” on other products and websites. This includes which wording gets you to interact with a sponsored post on a social media page, for example.
Giving them attitude data
Websites measure your “attitude” on issues. For example, you may have seen what seems like innocent poll questions used to paywall newspaper stories, for example. If you take the time to answer any questions, that information, which could include how you feel about social and political issues, is hugely valuable to advertisers and marketers.
Behavioral data easily collected
Behavioral data is related to engagement and includes how you physically interact with social media websites, tracking everything from how your mouse pointer moves around the page to which of two versions of a new website design you spend more time visiting. This helps site creators develop new features that they believe you will use more.
What makes you stick around
Behavioral and engagement data helps social media sites make you stick around longer, which is the best way to ensure you see more ads. This is why, for example, websites have leaned on controversial or even dishonest content. It can attract more attention and create more conflict.
You’re the bull’s-eye
With a full portfolio of data on you, websites like Facebook and YouTube can tailor-make ads that will come directly to you. These ads will relate to your interests, your search history, and even your location. You are the one being personally targeted in these endeavors.
Location, location, location
When using social media sites, your location is an especially nefarious share, because simply disabling location sharing on your part does not rule out other ways to know your whereabouts. It’s hard to guarantee you aren’t revealing parts of your location, especially if you use public Wi-Fi networks.
How you interact is telling
Companies want to know and buy data about your interaction patterns with customer service, for example, or user support on social media sites. By tracking how you use these and other services, sites can help companies better prepare marketing that will work on you.
Making money from third-party software
Mobile apps often include third-party software called software development kits (SDKs), which is sort of like planting a listening bug in someone’s home or office. Marketers pay to place these data-mining pieces of code in apps, making it hard for developers to say no—if they even want to. Free apps are just like free websites, meaning your information is how they will make money.
You’re being triangulated
Apps can use secondary information to triangulate you, including hardware information like the MAC address of a printer you may use, for example. If you limit these interactions or use only private Wi-Fi networks, you can avoid some of this.
Letting social networks use your photos
For social networks to work, they need certain rights over your photos and content because they’re effectively repackaging them to display with advertisements to your friends. The user agreements you check mark without thinking about it include the releases needed for these social media companies to use your photos and content—royalty-free.
Oversharing details
While there is a focus on more secretive data mining, many users of social media volunteer quite a bit of personal data that is unwise to share in that context. This includes info that can be scrubbed by people working on behalf of employers or even cybercriminals, with no specific marketing goals involved at all.
Check your settings
One of the easiest ways people inadvertently reveal information is by not looking closely at their settings. Social media sells usage either way, but leaving information truly public opens it up to third parties who skim these details for totally different kinds of uses.
Letting yourself be grouped
Giving sites a comprehensive and invasive personal view of your life, interactions, and behaviors online means they can easily group and sell you as part of a demographic. One way to at least avoid seeing this in action is to turn off Google ad personalization, for starters.
You may also like: How Americans feel about 30 major issues
