Since Saturday is a a large amount of Facebook data has been publicly disseminated and information from approximately 533 million Facebook users spread over the Internet. The data includes things like profile names, Facebook ID numbers, email addresses and phone numbers. It’s all the kind of information that has been leaked or deleted from another source, but it’s another source that links all the data together – and links it to each victim – that neat profiles to scammers, phishers and spammers a silver dish.
Facebook’s initial response was simply that the data had previously been reported in 2019 and that the company had posted the underlying vulnerability in August of that year. Old news. But a closer look at where this data is coming from yields a much darker picture. The data, which first appeared on the criminal web in 2019, comes from a breach that Facebook did not disclose in detail at the time and only fully acknowledged on Tuesday night in a blog post attributed to product management director Mike Clark. .
One source of confusion was that Facebook had a number of violations and exposures from which this data could arise. Was it the 540 million records – including Facebook IDs, comments, likes and comment data – that were exposed by a third party and released in April 2019 by the security firm UpGuard? Or was it the 419 million Facebook user records, including hundreds of millions of phone numbers, names and Facebook IDs, that were deleted in front of bad actors before a 2018 policy change in 2018 from the social network, which was publicly exposed in September 2019 and reported by TechCrunch? ? Did this have anything to do with the Cambridge Analytica third-party data exchange scandal of 2018? Or was it somehow related to the massive Facebook intrusion on 2018 that endangers access tokens and virtually all personal data of approximately 30 million users?
In fact, the answer seems to be none of the above. As Facebook finally set out in background comments to WIRED and in its Tuesday blog, the recent public record of 533 million records is a very different data set that attackers created by abusing an error in the input address book contacts feature. Facebook says it posted the vulnerability in August 2019, but it is unclear how many times the bug has been exploited before. The information of more than 500 million Facebook users in more than 106 countries includes Facebook IDs, phone numbers and other information about early Facebook users such as Mark Zuckerburg and the US Secretary of Transportation, Pete Buttigieg, as well as the European Commissioner for data protection, Didier Reynders. Other victims include 61 people who mention the ‘Federal Trade Commission’ and 651 people who mention ‘Attorney General’ in their details on Facebook.
You can check if your phone number or email address was exposed in the leak by checking the HaveIBeenPwned website. For the service, founder Troy Hunt reconciled and took in two different versions of the data set that floated around.
“If there’s a vacuum of information from the organization that implies, everyone is speculating, and there’s confusion,” Hunt says.
The closest fact that Facebook previously acknowledged the source of this offense was a comment in a fall news article from the fall of 2019. That September, Forbes reported a related vulnerability in Instagram’s mechanism for importing contacts. The Instagram bug exposed users, phone numbers, Instagram handles and account ID numbers to users. At the time, Facebook told the researcher who made the mistake, that the Facebook security team ‘was already aware of the problem due to an internal finding’. A spokesman said Forbes At the time, “We changed the contact importer on Instagram to prevent potential abuse. We are grateful to the researcher who raised this issue. ‘ Forbes noted in the September 2019 story that there was no evidence that the vulnerability was exploited, but also no evidence that it was not.