Social Network Attempts ‘Not Hacking’ Spin on Theft of 533 Million Users’ Details
Facebook has been attempting to dismiss the appearance of a massive trove of user data by claiming it wasn’t hacked, but scraped. The social network also claims that it reported the flaw that was exploited by criminals to privacy watchdogs in 2019.
But Facebook failed to make clear that 533 million of its users had their profile names and ID numbers, locations, biographical information, email addresses and phone numbers exposed – even when users had set their phone numbers to not appear on their profile page.
“Malicious actors obtained this data not through hacking our systems but by scraping it from our platform.”
On Tuesday, Facebook, for the first time, warned that the information had been stolen and then attempted to spin the breach as not having been a hack attack.
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” according to a blog post attributed to Mike Clark, a Facebook product management director.
In other words, attackers breached Facebook data by “hacking” – or exploiting, if you like – what wasn’t a bug, but a feature that allowed them to download massive quantities of private user data.
The obvious retort from Facebook users would be: “Hacked, scraped, breached, pwned, misconfigured or whatever – you were supposed to keep this data safe.” Instead, more than 530 million users have been at increased risk of phishing and fraud thanks to criminals having access to this data.
Facebook has suffered so many data breaches that it’s tough to tell them apart, although Wired last week published a must-read guide. And in this case, it’s not clear when attackers began amassing all of this information, or how many different data sets may have been combined to produce it.
But Australian security researcher Aidan Steele said he filed a vulnerability report in January 2014 with Facebook, warning that he’d been able to feed made-up phone numbers into its API. Whenever the Facebook system detected that a phone number was legitimate, he says, it sent back the associated user’s account details. Steele warned that the API even seemed able to return account information for users who didn’t have a contact phone number listed in their Facebook profile, and it could handle more than 1,000 requests per second.
Regarding that Facebook scrape: I’m surprised it took this long to blow up. I tried reporting this to Facebook 7 years ago and the response was basically “working as designed”.
I was able to query ~70K phone numbers a minute. As high as 20% hit rate in NYC area codes. pic.twitter.com/PAu5rmkDNd
— Aidan W Steele (@__steele) April 9, 2021
Data for Sale, Then Dumped for Free
At some point, criminals began using this feature to steal information and then offered it for sale, potentially after having combined it with data obtained from other sources.
In mid-January, Alon Gal (@UnderTheBreach), CTO of cybercrime intelligence firm Hudson Rock, first reported that a Facebook vulnerability had been exploited and used to create a database for 533 million users that gave access to many of those individuals’ phone numbers.
Gal reported that someone had created a bot for the Telegram instant messaging service that, for a low fee, would provide lookups of the database. By entering a user’s Facebook ID, service users could run searches, giving them the potential ability to retrieve extensive information on a Facebook user, including their phone number.
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
On April 3, Gal warned that “all 533 million Facebook records were just leaked for free.”
Whoever was selling the information may have reached the point of declining returns and decided to dump it to hype their brand. Such an approach has been used by other data breach merchants, including ShinyHunters.
Has My Phone Number Been Pwned?
On Tuesday, Troy Hunt, who runs the free Have I Been Pwned breach notification service, said that he’d updated the service to enable users to search for phone numbers that had been stolen from Facebook.
Should the FB phone numbers be searchable in @haveibeenpwned? I’m thinking through the pros and cons in terms of the value it adds to impacted people versus the risk presented if it’s used to help resolve numbers to identities (you’d still need the source data to do that).
— Troy Hunt (@troyhunt) April 4, 2021
In a blog post, Hunt said he’d never previously seen any value in allowing individuals to use a phone number to see if they’d been pwned.
“So long as there are email addresses that can be searched, phone numbers don’t add a whole lot of additional value,” he said. But the latest Facebook breach to come to light changed that, because while more than 500 million records had a phone number, “only a few million” also had email addresses, so more than “99% of people were getting a ‘miss’ when they should have gotten a ‘hit.'”
Ireland’s GDPR Enforcer Investigates
Meanwhile, regulators say they have questions for Facebook.
On Tuesday, Ireland’s Data Protection Commission announced it is investigating the leaked data, at least some of which appeared to have been obtained by attackers who used Facebook’s “phone lookup functionality,” which Facebook said occurred from June 2017 to April 2018. The EU’s General Data Protection Regulation came into full effect in May 2018.
“The newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period,” DPC says.
The regulator said it contacted the social network over the April 3 weekend after “it received no proactive communication from Facebook.” Under GDPR, breached organizations are required to share full details of an incident with regulators within 72 hours. Failure to comply can lead to fines of up to 20 million euros ($24 million) or 4% of the organization’s annual global revenue – whichever is greater.
The DPC said officials at Facebook eventually told it: “The data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your office and our users with additional information.”
When Was Data Stolen?
In his Tuesday blog post, Facebook’s Clark says: “We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.”
Ashkan Soltani, an independent privacy and security researcher who previously served as the chief technologist of the Federal Trade Commission, notes that criminals appear to have had access to the data until at least June 2019.
— ashkan soltani (@ashk4n) April 6, 2021
In 2019, Facebook reached a landmark $5 billion sanction agreement with the FTC. In return for agreeing to numerous security and policy changes – and promises – the agency also indemnified Facebook for any activity that occurred prior to June 12, 2019.
Also, in Europe, GDPR – as noted – came into full effect in May 2018. “Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” Ireland’s DPC reports.
But if the scraping actually took place through 2019, then Facebook could find itself at the receiving end of a full-scale investigation potentially not just by the FTC, but also by GDPR enforcers in Ireland, aiming to find out what Facebook knew, when it knew it and why it failed to notify users in a timely manner.
Let’s see how the social network scrapes its way through this one.