CORRECTION: HALF-BILLION FACEBOOK USERS BREACHED - Privacy Down Tubes Since 9-11

(04/08/2021)
More than a half-billion Facebook users had their personal information leaked in the latest reported breach that has brought attention back to the social media giant's poor record of protecting users' data and privacy.

The US Government operates the largest survielence programs of what is considered a breach of personal confidentially since 9-11. Once considered a protected right, since the wide-spread rise of social media and political sites, most Americans don't seem to care.

The publicly accessible database had personal details of Facebook users with full names, phone numbers, locations, email addresses, marital status and more. Even Facebook CEO Mark Zuckerberg's phone number was reportedly leaked in the process.

Over 533 million users were impacted worldwide, including more than 32 million U.S. accounts.

According to Facebook, the data was scraped from users' accounts two years ago and the underlying security issue was resolved. "This is old data that was previously reported on in 2019," said Facebook spokesperson Liz Bourgeois. "We found and fixed this issue in August 2019."

The original breach in 2019 was reported when technologists found a publicly accessible server with the phone numbers and Facebook IDs of more than 419 million Facebook users across different countries. Hackers were said to have scraped the user data by exploiting a now-disabled feature that allowed people to find friends by searching for their phone numbers.

That data lost in the original breach was rediscovered Saturday by Alon Gal, co-founder of the cybercrime intelligence firm Hudson Rock who found the information on a well-known forum for low-level hackers. For a small price in digital credit, anyone could get access to a searchable database of Facebook users' phone numbers and other personal information.

"This obviously has a huge impact on privacy," Gal tweeted. "I have yet to see Facebook acknowledging this absolute negligence of your data."

Facebook apologized for the data loss in 2019 but never directly informed users their accounts had been compromised.

The social media giant was forced to pay a historically large $5 billion fine to the Federal Trade Commission for misleading users into providing phone numbers for two-factor authentication but instead using the information for targeted advertising, among other deceptive practices.

As part of a privacy overhaul following the July 2019 FTC settlement, Facebook updated its two-factor authentication feature so that phone numbers added for security purposes would not be used to suggest friends.

It's not entirely clear if the information released by hackers was stolen as a result of Facebook aggregating users' phone numbers. What is clear, is that the information scraped from Facebook never stopped spreading. Cybersecurity specialists and cybercriminals continue to find the information in databases and servers.

Despite Facebook claiming the leak was "old data," that information can still be used for social engineering attacks, hacking and scamming, unless users changed their phone numbers or email accounts.

"It's probable that most phone numbers are still active and remain linked to legitimate Facebook users," said Ivan Righi, a cyber threat intelligence analyst at Digital Shadows. "Cybercriminals can use information, such as phone numbers, emails, and full names to launch targeted social engineering attacks, such as phishing, vishing, or spam."

People who are concerned about their accounts can check the data breach notification site Have I Been Pwned. The site was updated to show compromised phone numbers and emails.

Facebook users are understandably frustrated with yet another report that the company mismanaged their data. Others are growing tired of apologies followed by statements about how seriously Facebook takes user privacy.

"You can see they obviously don't care," said Lee McKnight, a professor at Syracuse University's School of Information Studies. "Their business model is selling private information to advertisers. Sometimes that data leaks to others. This is a case of people's private information leaking to others and they still don't care."

The company has a long history of failing to protect customer data and has been in the news in recent years for massive breaches that seem to be getting bigger each year.

In 2015, Facebook was at the center of the Cambridge Analytica scandal, where the third-party app developer improperly harvested data on 87 million users. That data was used to micro-target voters in the 2016 U.S. presidential election and British Brexit voters. Facebook was fined by U.S. and British regulators for mishandling user data and changed its policy around the information shared with third-party app developers.

In 2018, Facebook revealed that app developers could improperly access 5.6 million users' photos, including timeline photos and images uploaded to Facebook but never shared. Facebook said it was the result of a Photo API bug that was fixed after running for less than two weeks.

Throughout 2019, Facebook saw several data leaks involving hundreds of millions of accounts, including a high-profile incident where data on more than 267 million users were exposed on an unsecured, publicly accessible database.

That same year, the company was found to be storing at least 600 million Facebook and Instagram passwords in plaintext files that could be accessed by employees.

Dating back to 2016, Facebook was caught harvesting customers' email contacts without consent. New users were asked to verify their email addresses by entering their email passwords. That allowed Facebook to automatically import a person's entire contact list without their permission and with no way to cancel the process once it started.

Facebook has also deployed cookies and other technology to track the online activity of users and non-user. Even after signing out or never registering with the social media platform, Facebook can still keep tabs on internet users. The activity was ruled to be a violation of European privacy laws and U.S. lawmakers have voiced concern over the practice.

Historically, the cost of failing to protect user data and privacy has been minimal. The company has taken several reputational hits throughout the years but it has continued to grow to 2.6 billion active monthly users. It has been fined by U.S. and European regulators, sued by governments around the globe but it still valued at nearly $900 billion.

Many of its problems are built into Facebook's design as a company, said Oliver Tavakoli, chief technology officer at the AI cybersecurity firm Vectra. "That business model is inherently one which monetizes end-user data rather than valuing end-user privacy," he said.

Moreover, there are few incentives for Facebook to alter its business model and limited outside pressure on the company to take the steps needed to seriously protect user privacy and data.

"You're not going to get them to change in the current schema," McKnight argued. "You need privacy laws and a national-level regulator that has some teeth and can enforce consequences. Otherwise, this is guaranteed to happen again."

There is a growing appetite in Washington to rein in the power of Big Tech through regulations and privacy laws. Several Democratic and Republican members of Congress have introduced various pieces of privacy legislation and consumer data protection bills in recent years.

Unlike Europe, the United States does not have comprehensive internet privacy laws. Much of the responsibility for enforcing consumer data protections falls on the Federal Trade Commission or Federal Communications Commission.

See   CAR OWNERS UNAWARE OF "BLACK BOX"

And   FLASHBACK 2007: FBI CAUGHT OVER-STEPPING NATION'S TREASURED PRIVACY - Big Brother Has Arrived