Last April 3, cybercrime intelligence firm Hudson Rock CTO Alon Gal reported that the personal user data of over 533 million Facebook users was released for free openly over the Internet via a hacking forum which deals in buying and selling of platform data leaks.
According to Facebook, the data was obtained in 2019 via profile scraping through a vulnerability in a tool used by the platform to synchronize contacts, possibly related to the Instagram exploit an Israeli hacker going by the handle @ZHacker13 documented in 2019.
Spanning subjects from over a hundred countries, included in the leak are phone numbers, Facebook numeric IDs, full name, gender, civil status, geographic locations, hometowns, occupations, and in some cases, e-mail addresses, and dates of birth.
A security researcher who declined to be named that analyzed the leaked files found that a Philippine data set contained over 899,000 entries, larger than the popularly reported figure of 879,699. Furthermore, it was discovered that data sets from places with significant Overseas Filipino Worker (OFW) populations like the United States, Canada, Saudi Arabia, United Arab Emirates, Bahrain, Jordan, Brunei, Hong Kong, Taiwan, and Singapore contain large numbers of Filipino entries, many of whom also come from various provinces in the Philippines.
The researcher also stated that the leak files contained data in varying formats, possibly indicating that the data were obtained through various means and channels rather than through a single attack.
According to a cybersecurity expert (who also declined to be named), overseas Filipino workers and Filipino rural citizens are especially vulnerable to the recent Facebook user data leak. Since OFWs often remit money from abroad and send them to relatives in the province, these people are now more vulnerable to spoofing, phishing, social engineering, and various other scams such as dugo-dugo.
Because people assume that their phone numbers are private, they may assume that the person on the other end of an SMS message or call is trustworthy as the other person knows their name, number and other possible leaked details, opening them to various scams and other attacks. Also, as OFWs are often travelling and transact or communicate over the internet, this makes them particularly vulnerable to internet social engineering attacks.
On April 6, Web security consultant Troy Hunt announced that he had added the 2019 Facebook leak information to the data breach checking tool site Have I Been Pwned? (HIBP) and that users can now search for their entries via phone number. Despite being able to check if one was involved or not in the 2019 leak data that Hunt obtained and entered in the HIBP database, one should not assume one’s private phone number is not floating somewhere on the Internet, available to cybercriminals and other scammers.
According to BBC cybercrime reporter Joe Tidy, there were four separate Facebook data breaches in 2019 alone, with each breach ranging from 309 million to 600 million subjects. Moreover, Hunt stated that the files he analyzed had Italian filenames, whereas another security researcher encountered files with English country names — indicating the possibility of multiple leaked Facebook data sets circulating over the Internet.
What should potentially affected users do?
- If you are a Facebook user, assume the worst-case scenario: that your private phone number may have been leaked over the internet and act accordingly, as if your phone number is public knowledge over the Internet now.
- Start with zero trust and always verify the identity of unknown numbers contacting you via SMS or voice calls when engaging with them.
- If you use internet messenger applications that use your phone number as your identity such as WhatsApp, Viber, Telegram or Signal, apply the above rule as well, as your accounts may appear in messenger contact searches by scammers or cybercriminals.
- Avoid sharing information over the Internet that you do not need to share if it is not vital that you do so, especially data that is used for security questions such as birth dates and the like, or information which scammers may be able to use, such as listing down your hometown, location, place of work, and family member relationships.
- Change your Facebook passwords immediately, and if possible, turn on 2-factor authentication.
Finally, although the leak is from 2019, Facebook should immediately inform affected subjects that their personal details have been exposed so that users may take adequate precautions to defend themselves. The fact that the data is now available on the Internet for free has vastly escalated the problem. Cross-referenced with the disastrous ‘Comeleak’ data breach of 2016, open knowledge over the Internet of the private phone numbers of Filipino Facebook users is a crisis in the making.
The author is a veteran Web developer, member of the Consortium on Democracy and Disinformation, and board member of Democracy.Net.PH, an ICT rights, governance, development, policy, and security advocacy group.