On Saturday, April 3, 2021, users on RaidForums started posting links to download a Facebook data leak that contained approximately 533 million user records. A few hours later, news agencies began publishing reports detailing the leak. The Facebook data leak included Facebook unique IDs, phone numbers, email addresses, names, and other personally identifiable information. Released on an accessible dark web forum, the over half a billion records represent roughly 20% of Facebook’s user base.
The data itself is not new but rather is linked to a 2019 breach that leveraged a vulnerability remediated by Facebook in August of 2019. An automated bot most likely leveraged the vulnerability to scrape the data and has since been for sale to prospective buyers on multiple data breach marketplaces and forums.
A Look at the Facebook Data Leak
Data breach broker groups originally sold and traded the dataset. The original poster of the dataset on RaidForums was still responding to PMs to sell the breach as late as February 13, 2021.
On April 3, 2021 at 13:37 GMT, an actor posted the same breach for free. Over 100+ ufile links, all pointing to the respective country from the breach, were part of the post.
Security research, hacker, and cybercrime communities all rushed to download the data. Multiple actor circles mirrored the data on their own websites, Telegram, Discord and Torrent servers.
After ZeroFox research obtained the dump, we parsed out all of the email addresses and removed any with an @facebook.com domain, as these were created by Facebook automatically. ZeroFox found approximately 2.5 million unique, non-Facebook emails.
How Bad Actors Use Leaked Social Media Data
Criminals will use the data from this breach for the foreseeable future. This is due to the volume of rows within the dataset, the number of columns that contain PII that users cannot change easily, as well as methods that were published by actors before the dataset was publicly disclosed.
Although no password hashes were released in the data, the value of PII included in this data breach helps criminals in a number of ways. For example, threat actors were already using this data to target specific Facebook accounts and obtaining their phone number and PII to make their attacks more successful.
As an industry, we have over used personal phone numbers as a form of identity and authentication. Whether we use these numbers for 2-Factor authentication over SMS or to identify ourselves with our banks, social media accounts, or medical accounts, the phone number remains a critical component of our daily lives. People do not change phone numbers as easily or freely as they change their passwords and credit card numbers. With that, we assess that the following high impact usages of this breach will occur:
- Doxxing of victims: Given a Facebook ID, doxxing actors can pivot from the unique ID to a phone number. Doxxing leads to harassment of private individuals which can escalate to physical harm via methods like SWATting.
- SIM Swaps: Data breaches such as the Ledger breach have been a gold mine for SIM swappers to target users of cryptocurrency services, exchanges, and brokerages. SIM swappers will use this data as an additional tool to target individuals for account takeover for the purpose of fraud or harassment
- Phishing and Spam: SMS Phishing (Smishing) campaigns have been surging throughout the pandemic, and recent reports in the UK have highlighted the effectiveness of Smishing campaigns. This leak provides a fresh list of potential victims and will most likely be used to fuel phishing, spam, and malware campaigns. The dataset is also separated by country, so actors can adjust their targeting strategies by locale when using this data
- Account Takeover: Although SIM swaps lead to account takeover, the data within this breach can also increase the efficacy of general account takeover methods. Other columns in the breach included location, gender, employment status, and name. This could be enough metadata to answer security questions, socially engineer customer support representatives, or serve as additional pivot points to find more data.
What Social Media Users Can Do
Finding out that your private information has been compromised is never pleasant. Unfortunately, over the last several years the likelihood of having information leaked on a public platform such as a social network is increasingly common. Nevertheless, there are steps everyday users can take to protect themselves when engaging online.
Check if your email was part of the Facebook data leak
In response to the Facebook data leak, the founder of data breach notification service, HaveIBeenPwned, has added the leaked data to help users identify if their information was part of the breach. Currently the uploaded data only includes email addresses, but HaveIBeenPwned is currently evaluating adding leaked phone numbers as well. Note that even if your email address was not associated with the breach but you have a phone number linked to your Facebook account, there is still a possibility that you were part of the leak.
Review the information you connect to social media accounts
All too often, we create accounts on social networks and other public sites with little mind to how that information can be leveraged if compromised. Not all requested information is required for account creation, so consider disclosing only what information is necessary when creating new accounts. For current social media users, review your account settings within each platform to determine if the information stored with that platform is necessary or could be removed. For example, Facebook requires an email address or phone number for account creation, not both. Consider also limiting the amount of PII you share with any public platform.
Be mindful of what you share publicly on social media
Bad actors don’t only rely on data breaches to obtain user information; the information users share on their own personal social media accounts can be leveraged for brute forcing passwords, physical theft, and social engineering attacks. One prime example of this is viral social media quizzes that ask users for a variety of personal information that can help hackers steal passwords or target users online or in person. Be careful what you share online and review your privacy settings to ensure what you share is not publicly accessible outside of your trusted friend circle.
What Businesses Can Do
This latest Facebook data leak is a reminder of what we’ve come to know: the rapid adoption of public platforms such as social media has given new opportunity to attackers. This new, growing public attack surface requires businesses to gain visibility into the platforms their employees and customers are leveraging for corporate and personal use and has created a new responsibility for businesses to protect their people, customers and assets on public platforms like social media and the surface, deep, and dark web.
Executives and VIPs are top targets for social media attacks
Companies must recognize that their executives are both their greatest brand ambassadors and greatest vulnerability online. Because of their influence, they represent a lucrative opportunity for attackers seeking a large audience. Recent examples of this include the large scale account hacking in July 2020 that targeted celebrities and CEOs alike. Executives are prime targets for account hacking as well as impersonation attacks, which put not only the executive but their followers at risk.
Security teams must protect executives online as they would their corporate accounts, recognizing that gaining access to an executive’s online profile can serve as an entry point into the broader corporate network. Training executives and VIPs on the risks of social media and digital platforms is a good first step, but even better is implementing protection strategies to help prevent and mitigate account hacking and impersonation attempts.
Protect customers where they engage with your business
With digital transactions at an all-time high, organizations must implement security measures to protect their customers on the public platforms where they engage with the brand. The first step in doing so is ensuring that any interaction a customer has with your organization is legitimate. That means putting tools in place to quickly identify and take down any fake profiles or sites impersonating your organization on social media or elsewhere on the web. Customers are more likely to share information with a brand they trust and could be fooled into sharing personally identifiable information with an impersonating account. Ensure owned social media accounts have strict security settings in place, paying particular mind to platforms such as Facebook and LinkedIn that require personal accounts to serve as administrators for corporate pages.
Ensure visibility into public platforms to quickly identify threats
Without visibility into social networks and the dark web, data breaches like the Facebook data leak would not have been identified. In order to protect against this new public attack surface, organizations must first implement protection and intelligence tools that analyze millions of data points across these platforms to quickly identify and remediate threats. ZeroFox offers organizations protection across all public platforms, giving you the protection, intelligence and disruption necessary to confidently address the growing public attack surface.
Resurgence of Facebook Data Leak Serves as a Reminder of the Importance of Social Media Protection
Ultimately, this latest social media data breach should serve as a reminder to security teams, enterprises, and individual users alike that we must be careful with the information we share online. Understanding the tactics bad actors use to both obtain and leverage this information is helpful in establishing clear security measures to address these growing threats. Don’t go at it alone. ZeroFox is dedicated to helping organizations protect themselves and their customers on public platforms.