The personal data and phone numbers of hundreds of millions of Facebook users were posted for free in a hacking forum over the weekend. 

Insider reports the data includes personal information of 533 million Facebook users from 106 countries, including more than 32 million records on users in the U.S. 11 million on users in the U.K., and 6 million on users in India. The data includes phone numbers, Facebook IDs, full names, locations, birthdates, bios and some email addresses. After verifying the leaked data, Insider reports a Facebook spokesperson said the data had been scraped due to a vulnerability patched in 2019. Insider also attempted to reach the leaker through the messaging app Telegram but did not get a response.

According to Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security, "Content scraping is a common attack pattern. APIs are the heart of applications, powering business functionality and serving up data. Organizations often build or integrate APIs, without fully considering the abuse cases of the APIs. Controlling API consumers is difficult, particularly in the world of public, consumer focused applications. They are built to be accessible by design in order to increase adoption and grow the business of the organization. The APIs are working as intended in a lot of cases of business logic attacks, and you aren’t dealing with traditional types of application exploits like injection attacks. These data sets are also useful in other types of automated attacks such as brute forcing or credential stuffing to achieve account takeover." 

Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco, Calif.-based provider of digital risk protection solutions, explains that although Facebook patched the vulnerability, exploiting the flaw allowed cybercriminals to build an extensive database with millions of users' data.

Righi adds, "It is not a surprise that this data leak has resurfaced. Initially, the data was listed at a relatively steep price, limiting the number of threat actors who would have been able to purchase the listing. The breach was probably re-sold multiple times since then until the price lowered enough that a user decided to publicly expose it to generate a small profit and increase reputation. This activity frequently happens in criminal forums. While the data may be old, it still holds a lot of value to cybercriminals."

Though the data dates back to 2019, it could still be useful for cybercriminals, most phone numbers could still be active and remain linked to legitimate users, Righi says, and cybercriminals could use information such as phone numbers, emails, and full names to launch targeted social engineering attacks, such as phishing, vishing, or spam. "As most users are still working from home due to the pandemic, these attacks could be effective if personalized to target victims. For example, cybercriminals could send text messages impersonating companies or banks to users. These messages could name the individual within the text to add credibility and include malicious links."

This is an incredibly challenging problem for Facebook considering they are probably one of the largest data brokers on the planet, says Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services. "While they can continue to improve their cyber defenses and application security they are closing in on 3 billion users, all of which can configure their privacy in a multitude of different ways exposing different fields to marketeers who can then pay to access it. One of the bigger challenges is dealing with fake accounts that exist solely to harvest user data – often posing as celebrities or friends of friends. These accounts are also the primary vehicle now for a lot of scammers who readily harvest photos of prominent Instagram influencers and use them to entrap the general public in a number of confidence scams. Part of the solution to this will be to restrict the ability to automate access to the platform and add ‘tar-pits’ to those who look to screen scrape content making it prohibitively expensive to harvest automatically."

Consumers in general need to be mindful of the data they share on social media, Barratt suggests. "The best advice is to ensure that none of the accounts you’re using for social media directly link to anything that has the ability to move money (credit cards, online banking etc). So, if your account is compromised it is perhaps an inconvenience but isn’t going to lead to immediate financial ruin."

Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, "This is what I call the tsunami of the past...Considering that millions of phone numbers are out in the open, along with enough personal data about the phone number owners, it is likely that there will be a spike in SMISHING. Now more than ever it is important to seriously reconsider using phone numbers as logins or sharing phone numbers with apps. Switching phone numbers is inordinately more taxing than switching email IDs.

Isbitski recommends organizations "protect their APIs and monitor consumption continuously in order to catch such malicious activity as content scraping or authorization bypasses. API security issues can also expose organizations to regulatory penalties, since many standards and legislation including the likes of GDPR and CCPA explicitly define types of PII that must be protected. This includes phone numbers and account identifiers as seen in the leaked Facebook datasets. Even seemingly innocuous types of data can be combined to uniquely identify individuals and impact privacy."