Facebook was affected by many personal data leaks. I’m forced to own Facebook account, because there are still too many people which use Messenger as main and often as the only communicator. I don’t have Messenger installed on my computer, phone or tablet – I use web version, for privacy and security reasons. Also, in my 1Password database, in Watchtower section, I have always warning from Facebook and its owned Instagram because of passwords leaks. I would be glad to only use Telegram, but how to persuade all contacts? It’s today fashion to take photo on smartphone and to instantly share it on Instagram or Facebook – with all metadata, including GPS location. Lots of people just don’t care and it’s hard to explain them advantages of communicators like Telegram or Signal.
As TechCrunch reports, more than 419 million records from Facebook users were leaked online. It included 133 million records from US users, 18 million records from UK users and 50 million records from Vietnamese users. These leaked records contained each person’s unique Facebook ID and also phone number, if associated with account. Facebook ID can be used to discover person’s username.
Many Internet users are lazy and when they have to set up an account for some service and “Login with Facebook” is offered, they just log in with Facebook account. Because nobody should trust Facebook and because of many Facebook’s data leaks, you should take few minutes to just set up an account and not to log in with your Facebook account. And also, I don’t count account bans from Facebook itself when you share a “politically incorrect” content, though you have truth and many people agree, but that’s another story. If your Facebook account is banned, you can’t use services you logged in with your Facebook account.
Leaked batabase is probably old, because Facebook restricted access to phone numbers more than a year ago. Facebook’s spokesperson said that leaked data were scrapped before Facebook cut off access to phone numbers:
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”
As TechCrunch tested, it was able to verify multiple records in the database by matching a known Facebook user’s phone number against a listed Facebook ID. Some other records were verified by matching phone numbers with Facebook’s password reset feature, which can be used to partially reveal a phone number linked to an account. Some records also included usernames, genders and country locations.
Phone numbers are important, because they are often used in two-factor verification. Verification SMSs are not the best security option – SMS data “fly over the air” unsecured in plain text format. There is also a so-called “SIM-hacking”, which involves calling a phone carrier and asking for a SIM transfer for a specific number, so attacker can gain access to phone number linked services, like mentioned two-factor verification or password reset feature in some services. Also, leaking phone numbers increases spam calls numbers.
The database was originally found by security researcher Sanyam Jain. He said he was able to locate phone numbers associated with several celebrities. It’s not known who owned database or where it originated from. Thanks to TechCrunch, this database was taken down after it contacted web host.
It will be interesting to watch, how will react European Union regulators. In EU, there is a strict privacy protection called GDPR (The General Data Protection Regulation) and Facebook may face a really big fine.