As of Saturday, a a massive amount of Facebook data has circulated publicly, dripping information from about 533 million Facebook users on the internet. Data includes things like profile names, Facebook IDs, email addresses, and phone numbers. It’s all sorts of information that may have already been leaked or abducted from another source, but it’s yet another resource that ties all this data together – and binds it to each victim – with neat profiles of scammers, phishers and spammers. on a silver platter.
Facebook’s initial response was simply that the data was previously reported in 2019 and that the company repaired the core vulnerability in August of that year. Old news. But a closer look at where exactly this data comes from produces a much stranger picture. In fact, the data, which first appeared on the dark criminal web in 2019, comes from a violation that Facebook did not disclose in any significant detail at the time and fully acknowledged it on Tuesday night in -a blog post attributed to product management director Mike Clark.
One source of confusion was that Facebook had a number of violations and exposures from which this data could have come. Were the 540 million records – including Facebook IDs, comments, assessments and feedback – exposed by a third party and disclosed by security firm UpGuard in April 2019? Or it was the 419 million Facebook user registrations, including hundreds of millions of phone numbers, names and Facebook IDs, taken from the social network by bad actors before a change in Facebook’s 2018 policy, that were exposed. public and reported by TechCrunch in September 2019? Did it have anything to do with the 2018 Cambridge Analytica third-party data sharing scandal? Or was this somehow related to the massive Facebook data breach in 2018 that compromised access tokens and virtually all personal data from about 30 million users?
In fact, the answer seems to be none of the above. As Facebook finally explained in background comments to WIRED and its blog on Tuesday, recently the 533 million record audience is a completely different data set that the attackers created by abusing a defect in a contact import function from the Facebook address book. Facebook says it fixed the vulnerability in August 2019, but it is unclear how many times the bug has been exploited so far. Information from more than 500 million Facebook users in more than 106 countries includes Facebook IDs, phone numbers and other information about top Facebook users such as Mark Zuckerburg and US Secretary of Transportation Pete Buttigieg, as well as the EU Commissioner for Data Protection. Didier Reynders. Other victims include 61 people listing the “Federal Trade Commission” and 651 people listing the “Attorney General” in their Facebook details.
You can verify that your phone number or email address has been leaked by checking the HaveIBeenPwned infringement tracking site. For the service, founder Troy Hunt reconciled and ingested two different versions of the floating data set.
“When there is a vacuum of information from the organization, everyone speculates and there is confusion,” says Hunt.
The closest Facebook previously acknowledged the source of this violation was a comment in a fall 2019 news article. In September, Forbes reported an associated vulnerability in the Instagram mechanism for importing contacts. The Instagram bug exposed usernames, phone numbers, Instagram handles and account identification numbers. At the time, Facebook told the researcher who revealed the error that the Facebook security team was “already aware of this problem due to an internal finding.” A spokesman said Forbes at that time, “I changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue. ” Forbes noted in the September 2019 story that there is no evidence that the vulnerability has been exploited, but no evidence that it was not.