A leak exposed the data of 267 million Facebook users. According to Comparitech’s representatives, this was the result of a scraping operation carried out by cybercriminals. “One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018,” explained Comparitech’s Paul Bischoff.
According to consultant Bob Diachenko, Facebook’s API could also have a security hole. Thus, criminals could access user IDs and phone numbers. This might have happened even after the company restricted the access. Another scenario is that hackers stole without using the Facebook API at all. Instead, hackers might have collected the data of Facebook users from publicly visible profile pages.
Researchers warn that such a large database of sensitive information could be very useful for bad guys in major spam, phishing and smishing campaigns. Smishing is the name of the phishing attacks that try to trick users into giving their private information via SMS or text messages.
While Facebook tries to make users trust more the social media network, these kind of events seem to have the opposite effect.
More and more unsecured databases
According to the researchers, data appeared online on the 12th of December, after it was first indexed eight days before. Diachenko discovered it on December 14. He notified the internet service provider managing the IP address. After five days, it became unavailable. It seems that the original leak of appeared because of a misconfigured Elasticsearch cluster. Elasticsearch is a distributed, open source search and analytics engine for all types of data.
Lately, unsecured databases create lots of problems for the users. In November, personal data of over one billion users harvested by data enrichment companies was found exposed. Then, in December, the same amount of email and password combinations were found the same way by Diachenko. It seems that hackers stole these or bought them.