Latest Facebook security lapse exposes millions to account hijack

In the latest Facebook privacy lapse, the company stored more than 419 million Facebook IDs and phone numbers in an online server that was not password protected.

The dataset was discovered by a security researcher and included around 133 million records for users in the US, 18 million records for users in the UK and 50 million records for users in Vietnam, according to TechCrunch.

The lack of a password meant that anyone could access the data, which could be used to determine usernames, and in some cases included names, gender and country location.

It is not known how long the data was available online, but access to it was shut down after TechCrunch contacted the web host.

Facebook said it was investigating when and by whom the database was compiled, according to The Guardian, which said a spokesperson for the company claimed that the actual number of users affected was approximately 210 million because many of the records were duplicates.

It is believed that the records were collected using a tool that Facebook disabled in April 2018 after the Cambridge Analytica data sharing scandal that exposed Facebook’s lax approach to privacy.

The tool had enabled anyone to search for users by their phone number, but it could be hijacked by data scrapers, which is why it was shut down and why the company is insisting that the data contained in the exposed database is “old” because it must have been collected prior to the April 2018 policy change.

A spokesperson said in a statement that “the dataset has been taken down and we have seen no evidence that Facebook accounts were compromised”, but gave no indication if Facebook would alert users affected by the breach or offer any support.

The fact remains that many of the phone numbers involved remain in use by affected Facebook account holders and could be used by criminals to hijack other accounts associated with those phone numbers.

“Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone, as well as attempt to trick automated systems from victims’ banks, healthcare organisations, and other institutions with sensitive data into thinking the attacker is the victim,” said Jonathan Bensen, CISO at security firm Balbix.

“Exposed individuals even put their employers at risk; attackers can leverage stolen numbers to obtain unauthorised access to work email and potentially expose more data,” he warned.

The latest high-profile attack of this type of attack, known as Sim swapping, is Twitter chief executive officer Jack Dorsey, whose Twitter account was hijacked recently by attackers who appear to have gained control of his mobile phone number.

Misconfigurations, said Bensen, have been the reason behind several data leaks this year including incidents affecting Orvibo, Tech Data and ApexSMS.

“Companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of flaws in their network – far too many to tackle all at once.

“The key to thwarting future instances of data exposure is to leverage security tools that employ AI [artificial intelligence] and ML [machine learning] to observe and analyse the entire network in real time and derive insights to prioritise the vulnerabilities that need to be fixed.”

Dmitry Kurbatov, CTO of Positive Technologies, said this latest Facebook breach is a reminder that even the largest companies companies can fail to secure data.

“Companies and consumers are very quick in the creation and adoption of new technologies and services, but often they fail to protect themselves from the most basic attacks,” he said.

In terms of the damage that could be done, Kurbatov said information is power for attackers. “Information like name, surname, phone number, birth date, ID number – this would probably be enough impersonate you to your mobile carrier. Then [the attacker] can ask to setup call and SMS forwarding, or to swap the sim – essentially, from there, the number is hijacked. 

“Even though the information in each user record is not that detailed – facebook ID, gender and phone number, this data could be useful to supplement another leaked database missing these pieces of information.

“The risk here is that many services, including banks, use phone numbers as a way to authenticate users. If the number is hijacked, they can bypass this protection and potentially break into accounts,” he warned, also citing the hijack of Jack Dorsey’s Twitter account as an example.