Cybersecurity researchers at Cyble had found that a database with 267 million Facebook user profiles wad been sold on the Dark web, reported cybersecurity firm Sophos. The firm bought the database for $540 or ₹41,033.
The user records comprised of unique Facebook IDs, email addresses, age, and even phone numbers. As per the report, even though no passwords were exposed, emails and text messages could be used for phishing campaigns (luring individuals to reveal sensitive information).
While the source of a data breach could not be ascertained, cybersecurity experts believe that the database might have leaked from through Facebook’s third-party developer API (tools used to build software).
The Unknown Actor
Reportedly, the user records were shared elsewhere before being sold on the Dark Web. It was initially taken down by the ISP (Internet Service Provider) hosting the page. When the database reappeared, an unknown actor replaced the personal information with ‘dummy data’ and changed user names to “please_secure_your_servers.”
This was first spotted by researcher Bob Diachenko who then teamed up with Comparitech, a technology comparison website, to discover that the Facebook user records were exposed for roughly 14 days before it was removed.
Protecting your Facebook Information
The more information a user has in his/her public domain, the higher is the vulnerability towards cyber-attacks/ online scams and phishing campaigns. It is, therefore, important to be wary of emails and texts received from unknown sources. Cybercriminals can use the exposed email addresses of the compromised Facebook accounts to harvest passwords. This can be executed by comparing it with leaked databases that included passwords from the past.
If someone uses the same email address and password elsewhere, then, it can lead to leakage of more sensitive information. Therefore, it is suggested to activate two-factor authentication for Facebook accounts to prevent scammers from harvesting your valuable data.
Allegations of Illegal data harvesting by Facebook
In December 2018, the Italian Competition Authority (AGCM) had imposed a penalty of 10 million euros ($11.4 million) on Facebook for illegally harvesting the data of its users for commercial purposes. The Authority said, “Facebook has been practising aggressive policies towards registered users, who suffer from the transfer of their personal data by Facebook to third parties without their direct and prior consent, thus without notification and automatically”.
The Authority had also asked Facebook to run an apology on its website and app. A Facebook spokesperson told the company was considering the decision of the Authority and the matter will be resolved soon. The company had made some changes in its policy providing more rights to the users.