Facebook

309 million Facebook users’s details on sale online. What you need to know.

Security researchers have recently found leaked data pertaining to over 300 million Facebook user’s on sale through the Dark Web, which may lead to an increase of targeting phishing attacks and credential stuffing attacks.

So here, we quickly discuss what that means, and how it could affect you. And of course, what you can do to make sure you don’t become a victim of these sorts of data leaks.

309 million Facebook users have their details up for grabs

Researchers from intelligence company Cyble discovered the data breach, and while the information doesn’t contain passwords, it does contain profile IDs, full names, email addresses, phone numbers, relationship status and age. Around 267 million profiles were leaked back in 2019, but were removed. But now the leaked data has resurfaced online with an additional 42 million profiles added, and it’s now for sale to anyone willing to pay for it.


Sponsored Content. Continued below...




How was the data leaked?

The short answer is, no one knows. The researchers who discovered the leaked data suggest it may have been either through a [now fixed] security vulnerability on the Facebook developer’s platform, or the result of something called “scraping”. That’s the accumulation of publically available data on Facebook (so not a hack, but certainly a good reason to make sure none of your personal information it set to public. Something many Facebook users still don’t do.)

If my password wasn’t included, how is this a threat to me?

Just because passwords were not included in the leaked data, it doesn’t mean this doesn’t pose a threat to you. Having data about you leaked online during a data breach like this can still make you a target for scammers. Specifically, credential stuffing attacks and targeting phishing scams (known as “spear phishing”.)

For credential stuffing scams, if you don’t reuse the same password across different websites, then you have nothing to worry about. However if you do, then this leaked data may inspire such credential stuffing attacks. That is because crooks will have the email address you use for Facebook, and they can search through other previous data leaks that did include passwords (these days, the chances are high that some of your data has leaked online through previous leaks. You can check at HaveIBeenPwned.com) They can then try any passwords they find associated with your email on your Facebook account and other online accounts. However, if the password they find is old, no longer used, and not reused on other websites, you don’t have anything to worry about.

So if you do reuse passwords, stop doing that.


Sponsored Content. Continued below...




Perhaps more of a danger though is the leaked data’s ability to lead to targeting phishing scams, known as spear phishing. Phishing scams are scams where crooks pretend to be from a trusted source in order to trick a victim into handing over sensitive data, such as login details or banking information. Most people have seen phishing emails land in their inbox, but these are typically generic emails sent to thousands of recipients, and as such, they don’t contain much personal data specific to each recipient.

However, crooks can make these scams far more convincing when they add personal information specific to the email recipient, such as the information that this Facebook data leak has provided. That’s spear phishing; targeting phishing attacks. Crooks can simply insert information such as your name, date of birth and phone number into an email scam to make it appear far more believable, and more likely to convince someone to, say, visit a spoof website and enter sensitive information.

While scammers cannot launch spear phishing scams on the same scale as generic phishing scams, the success rate is higher.

Of course, emails that are generic and contain no details about you should be dismissed outright, but on the flip side of the same coin, all of this means that we shouldn’t automatically assume an email that does know our name and other details about us is legitimate.

There are other tell-tale signs to phishing scams, such as bad grammar and spelling, and an emphasis on alarming a recipient (e.g “Your account will be disabled unless you click this link“.) And of course, if you do click a link, always verify that you’re on the web domain that you should be on, and not a spoof domain.

The bottom line is this. Be vigilant. Never take chances when it comes to clicking links on emails, and always be wary when entering sensitive information online. It’s always best to double and triple check, and if you’re not sure, ask! Oh, and stop reusing passwords, of course.

Share
Published by
Craig Haley