In 2018, Facebook faced a series of data privacy breaches that resulted from the now infamous Cambridge Analytica scandal that affected 87 million users. For that Mark Zuckerberg faced both houses of Congress to answer a spectrum of questions raning from fake news to Russian intervention and data privacy.
In September, Facebook’s Guy Rosen, VP of product management reported, in a blog post reported that attackers exploited a vulnerability in the social media platform’s code which exposed the data of 50 million users. Rosen later explained that only about 30 million users’ “access tokens” had actually been stolen. These tokens could be used by hackers could use to take over people’s accounts.
White hacker Alon Gal’s (@UnderTheBreach) Twitter photos of the latest Facebook hack that involved 533 million users not only had a breakdown of which countries were affected but also spreadsheet information up for access freely on the Dark Web. In the Philippines, Malaya Business Insight reported that some 900,000 subscribers were affected. Facebook IDs, names, sometimes emails and phone numbers, birth dates, and location were conveniently laid out in spreadsheet form for misuse and abuse.
His earlier post, in early 2020 said “a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries. It was severely under-reported.” Gal said in a succeeding Tweet that it “was worrisome” making several security experts say that there may be more holes to plug in FB’s privacy coding.
Facebook however says the Gal’s screenshots are of old data—and the original Tweets were dated January 2019.
But did Facebook fix the issue and assured better protection for users? There was no information about the breach then and very little information about it now. Facebook in the Philippines and regionally has not been responding quickly enough about the hack only saying that has been repaired.
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” says
Liz Bourgeois, Director, Strategic Response Communications at Facebook, in a Tweet responding to the data leak incident reported by 9to5Mac.com and later picked up by Business Insider.
The way Facebook reacted to the leak is like it is all in a day’s work.
This rather timid attitude towards the breach makes it appear that the social media giant does not have a real sense of the enormity of a single leaked name and information that comes with it. Although it may appear that it understands its responsibility to protect its users’ privacy, this does not reflect in the way this data breach or others in the past were handled.
It simply said a patch was made to solve the problem.
And it does not take responsibility for the data loss.
That, says the user’s agreement on almost all social media sites and apps, seems to be completely the responsibility of the subscriber. Users usually don’t bother to read the legalese and the fine print. Though some responsibility (hard to crack passwords, careful use of shared computers and so on) is on the user, the greater, uncontrolled part rests where the user data resides—in the servers of Facebook wherever these are, because the breach happened there and not in the user’s computers.
When stolen goods are fenced, there is little possibility of getting them back.
When personal data is fenced, it can be passed on from one black hat hacker to another until it makes money. In December 2020, Kaspersky researchers dug into the Dark Web to find out the sale price for users’ private information online.
On one hand, name sets can be very cheap—less than a cent—which means huge datasets in the millions will only cost hundreds or thousands of dollars. On the other hand, driver’s license information costs $5 and credit card details start around $6.
The information taken from the breach can be used by black hatters for financial gain or for doxing, which is the public de-anonymization of a person online or even worst sold for sextortion or hijacking personal finances.
Some subscribers affected by the 2015 Ashley Madison data breach were recently haunted by their virtual infidelity. According to Vade Secure threat analyst, Damien Alexandre, in a January 2020 report, a new extortion scam that leverages user account data from that breach info is being used against subscribers, in an individual and personal manner.
It (the Ashley Madison breach) “is coming back to haunt users in the form of a highly personalized extortion scam,” says Alexandre. The target receives an email threatening to share their Ashley Madison account, along with other embarrassing data, with family and friends on social media and via email. The aim is to pressure the recipient into paying a Bitcoin ransom—.01188 BTC or roughly the equivalent of $1050.
And since these sextortion campaigns are not limited to Ashley Madison breaches. Cybercriminals may use any available data on the Dark Web, especially those with emails or phone number to send a threatening email filled with personal details then claim to have compromising videos or photos which will be emailed to friends, family and colleagues unless a Bitcoin ransom is paid. Most of these threats are hoaxes, and if the recipient has a clean conscience, the advice is to ignore those emails, since the threats are empty.
Nevertheless, personal data is out there for the picking.
The National Privacy Commission has ordered the Facebook data privacy officer in the Philippines to provide more information about the breach. Penalties of up to P5M can be levied against the company. In 2018, the NPC ordered Facebook to provide identity theft and phishing insurance to nearly 800,000 Filipino FB users whose accounts were compromised in the Cambridge Analytica disturbance. There is no information as of this moment if this order was carried out or if Facebook was penalized.
UPDATE: Business Insider reported that the cell phone number of Facebook CEO Mark Zuckerberg is among the private personal information leaked to members of a low-level hacking forum.