Dumped Facebook Users' Personal Information Ripe for Cyberattacks

The cellphone numbers and other personal information of 533 million Facebook users from 106 countries has been posted online. Cybercriminals can use the information to launch attacks.

Alon Gal, CTO of cybersecurity firm Hudson Rock, tweeted about the data dump this weekend. The United States had 32.3 million affected users and United Kingdom had 11.5 million.

The released data includes Facebook users’ mobile numbers, name, gender, location, relationship status, occupation, date of birth and email addresses.

According to Bleeping Computer, the data was originally sold in private sales after being collected in 2019 using a bug in the “Add Friend” feature on Facebook. Facebook closed this vulnerability soon after discovering it. But threat actors continued to circulate the data until it was practically free over the weekend, it said.

Unscrupulous Scammers Will Use All the Information They Can Get

Purandar Das is CEO and co-founder at Sotero.

Sotero’s Purandar Das

“This makes you wonder as to how much of that information ends up in the legitimate marketing industry,” he said. “It only takes a few vendors to integrate this data into the broader data set the marketing industry uses. Mobile numbers and Facebook handles are typically in pretty high demand. Of course, the unscrupulous scammers will use every bit of information they can get in their scams.”

Setu Kulkarni is is vice president of strategy at WhiteHat Security. He calls the data dump “the tsunami of the past.”

WhiteHat Security’s Setu Kulkami

“While Facebook has fixed the issue, the damage of exfiltration of sensitive data occurred before the vulnerability was fixed,” he said. “Considering that millions of phone numbers are out in the open, along with enough personal data about the phone number owners, it is likely that there will be a spike in smishing. Now more than ever, it is important to seriously reconsider using phone numbers as logins or sharing phone numbers with apps. Switching phone numbers is inordinately more taxing than switching email IDs.”

Common Attack Pattern

Michael Isbitski is technical evangelist at Salt Security. He said content scraping is a common attack pattern. At the very least, the data is useful to attackers for phishing campaigns and social engineering, he said.

Salt Security’s Michael Isbitski

“Organizations must protect their APIs and monitor consumption continuously in order to catch such malicious activity as content scraping or authorization bypasses,” Isbitski said. “API security issues can also expose organizations to regulatory penalties, since many standards and legislation … explicitly define types of personal identifiable information (PII) that must be protected. This includes phone numbers and account identifiers as seen in the leaked Facebook data sets.”

Cybercriminals can combine even seemingly innocuous types of data to uniquely identify individuals and impact privacy, he said.

No Surprise

Digital Shadows’ Ivan Righi

Ivan Righi is a cyber threat intelligence analyst at Digital Shadows. He said it’s not a surprise that this data leak has resurfaced. Few threat actors could buy the data when it it initially carried a relatively steep price.

“The breach was probably resold multiple times since then until the price lowered enough that a user decided to publicly expose it to generate a small profit and increase reputation,” he said. “This activity frequently happens in criminal forums. While the data may be old, it still holds a lot of value to cybercriminals.”

It is likely most phone numbers are still active and remain linked to legitimate Facebook users, Righi said. Cybercriminals can use information such as phone numbers, emails and full names to launch targeted social engineering attacks. Those include phishing, vishing or spam.

Cybercriminals may find success with most people working from home, he said.

“For example, cybercriminals could send text messages impersonating companies or banks to users,” Righi said. “These messages could name the individual within the text to add credibility and include malicious links.”