267M Facebook User IDs, Phone Numbers And Names Exposed Online – Expert Commentary

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. The open database, which has been pulled down, wasn’t protected by a password or any other safeguard for nearly two weeks. In fact, someone has already made the data available for download on a hacker forum.

Experts Comments

December 20, 2019
Robert Prigge
CEO
Jumio
Yawn, another data breach. We're all getting a bit jaded by these breaches, and it’s a given that the information contained in Facebook’s compromised database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users. But, what about the threats to businesses? Tens of thousands of businesses use the Facebook Login Button on their websites to validate if a user is who they claim to be. Guess what. You can't possibly know if a user is who they.....Read More
Yawn, another data breach. We're all getting a bit jaded by these breaches, and it’s a given that the information contained in Facebook’s compromised database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users. But, what about the threats to businesses? Tens of thousands of businesses use the Facebook Login Button on their websites to validate if a user is who they claim to be. Guess what. You can't possibly know if a user is who they claim to be given the scope and magnitude of these breaches. Businesses must reconsider their use of these types of identity proofing and authentication mechanisms as they're practically worthless. Increasingly, businesses are turning to biometric, face-based authentication as a more reliable way of establishing the digital identity of your users.  Read Less
December 20, 2019
Chris DeRamus
VP of Technology Cloud Security Practice
Rapid7
This is not the first time that Facebook has suffered a breach; in fact, it exposed 540 million users’ data in April after an AWS S3 bucket was left publicly accessible. However, this latest incident is alarming because the database was unprotected for nearly two weeks, allowing threat actors more than enough time to access it and use it to launch spear phishing attacks and commit identity theft. Cloud and container infrastructure help companies innovate quickly and maintain a competitive.....Read More
This is not the first time that Facebook has suffered a breach; in fact, it exposed 540 million users’ data in April after an AWS S3 bucket was left publicly accessible. However, this latest incident is alarming because the database was unprotected for nearly two weeks, allowing threat actors more than enough time to access it and use it to launch spear phishing attacks and commit identity theft. Cloud and container infrastructure help companies innovate quickly and maintain a competitive position in the market. Organizations should feel empowered to implement this technology, but it is essential that they have a true understanding of the compliance and security implications that accompany it. To reduce risk moving forward, enterprises must adopt cloud security solutions that discover threats and can either initiate automated remediation or alert the appropriate personnel of the issue so that it can be corrected.  Read Less
December 23, 2019
Erich Kron
Security Awareness Advocate
KnowBe4
While on the surface a database of phone numbers does not seem like something to be concerned about, this type of information, all in one place, is a gold mine for scammers and cybercriminals. Attackers know that these numbers are mobile devices and that they can likely receive text messages. They also know these numbers are associated with a Facebook account and can craft attacks that seem legitimate using this information. It is very difficult for people to defend against this sort of breach .....Read More
While on the surface a database of phone numbers does not seem like something to be concerned about, this type of information, all in one place, is a gold mine for scammers and cybercriminals. Attackers know that these numbers are mobile devices and that they can likely receive text messages. They also know these numbers are associated with a Facebook account and can craft attacks that seem legitimate using this information. It is very difficult for people to defend against this sort of breach because many platforms ask for information, such as phone numbers, to use the platform. It's very unfortunate when these organizations fail to protect this data after collecting so much of it.  Read Less
December 23, 2019
Jason Kent
Hacker in Residence
Cequence Security
For years I yelled "no Facebook, you cannot have my phone number" every time it asked. Not because I didn't want my account more secure but, rather, I figured some day that database would get dumped. The rich personal information everyone shares on Facebook, coupled with a simple way to get access to speak to you, is a tremendous feeder source for scams. The fact that this was discovered by a third party and the database they were stored on was inadvertently found, makes me wonder how many.....Read More
For years I yelled "no Facebook, you cannot have my phone number" every time it asked. Not because I didn't want my account more secure but, rather, I figured some day that database would get dumped. The rich personal information everyone shares on Facebook, coupled with a simple way to get access to speak to you, is a tremendous feeder source for scams. The fact that this was discovered by a third party and the database they were stored on was inadvertently found, makes me wonder how many copies of this data exist and it makes me ask, what else has been stolen and haven't heard about yet? Facebook wants to keep your data secure and private, this is another reminder that Application Security is hard, the bad guys only have to win once to have a big impact.  Read Less
December 23, 2019
Stuart Reed
UK Director
Orange Cyberdefense
The 267 million Facebook users who had their names and personal phone numbers exposed to potential hackers are at high risk for a variety of targeted spam messages, phishing attacks or other scam attempts. With this information, hackers are given a direct line of access to these users – and that can enable criminals to more effectively target these users and gain further private information that can be utilized by bad actors. Given the length of time that this information was publicly.....Read More
The 267 million Facebook users who had their names and personal phone numbers exposed to potential hackers are at high risk for a variety of targeted spam messages, phishing attacks or other scam attempts. With this information, hackers are given a direct line of access to these users – and that can enable criminals to more effectively target these users and gain further private information that can be utilized by bad actors. Given the length of time that this information was publicly available, the likelihood of these attacks is especially high. All organizations have an obligation to protect any sensitive information related to their customers or user base, both in their core practices and through any third parties or services they may utilize--Facebook is certainly no different. To prevent future breaches, organizations must take a multi-pronged approach to their security measures, ensuring that their network security is continually tested against new and emerging threats. By placing an emphasis on network detection and response, organizations are better positioned to recover from – and ultimately more quickly prevent – attacks on their customers.  Read Less
December 23, 2019
Jonathan Devaux
Head of Enterprise Data Protection
Comforte AG
It seems FB is in the news every month with a cybersecurity issue. The term “too big to fail” may not apply to Facebook, but they do seem to be failing at data security, left and right. Even though the California Consumer Privacy Act (CCPA) is not finalized, when it does become enforceable in early 2020, it is possible that Facebook users (and ex-users) will exercise their Rights under CCPA, which could force FB to take a more serious approach to improve their security posture.
December 23, 2019
Irfahn Khimji
Tripwire Inc
Country Manager for Canada
It is important for anyone using the internet to remember that anything posted online, once posted, can potentially be seen by anyone. As we have seen in recent data breaches everything from phone numbers to health records have been made public. Practicing due care and ensuring that only information one is comfortable with being made public should be freely posted on social media sites.
December 23, 2019
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
Another day, another unsecured database found on the internet. With this database containing Facebook related data, its obvious to ask what role Facebook might have played in this activity. In this case, we can look to two specific areas; the Facebook API and the public settings of Facebook accounts. In both cases, the scope of data available to third parties has varied over time. This varied access model illustrates a key lesson for anyone implementing an API – build a threat model which.....Read More
Another day, another unsecured database found on the internet. With this database containing Facebook related data, its obvious to ask what role Facebook might have played in this activity. In this case, we can look to two specific areas; the Facebook API and the public settings of Facebook accounts. In both cases, the scope of data available to third parties has varied over time. This varied access model illustrates a key lesson for anyone implementing an API – build a threat model which includes malicious use of the data available from the API. In effect, if there is interesting data to be had via an API, then anyone interested in that data will eventually discover the API and either use or misuse it. In other words - Given access to any data, people will find a way to use, and potentially misuse it. This same paradigm applies to public settings like those used within Facebook – but with a twist. Where an API is targeted at developers who have security training, properly securing public settings historically has expected the end user to set them properly. In other words, companies have expected lay users to understand the privacy implications of whatever settings they provided. This is an unrealistic expectation given that the lay user has no mechanism or experience to vet the security practices of any business. They place their trust in that business to “do the right thing” with their data. Which means that any threat model around access to user data needs to incorporate what the potential reputational damage to the business might be if the default access controls are set incorrectly.  Read Less
December 23, 2019
Rosemary O'Neill
Director - Customer Delivery
NuData Security
Cybercriminals now have access to data on almost everyone in the world, which means that they are well stocked to create fake accounts, steal full identities, create synthetic identities, use stolen credit cards, and more. We must change the current equation of "breach = fraud" by changing how companies think about online identity verification; the key is to make it valueless. Once a breach happens and the stolen data is used to, for example, impersonate someone else online, companies can.....Read More
Cybercriminals now have access to data on almost everyone in the world, which means that they are well stocked to create fake accounts, steal full identities, create synthetic identities, use stolen credit cards, and more. We must change the current equation of "breach = fraud" by changing how companies think about online identity verification; the key is to make it valueless. Once a breach happens and the stolen data is used to, for example, impersonate someone else online, companies can prevent this by verifying users with parameters beyond personally identifiable information (PII), such as the user's inherent behaviour. The technology that looks at user’s innate patterns as they handle a device can detect fraud even if the right credentials are used, devaluing stolen data. Analysing customer behaviour with passive biometrics is completely invisible to users and is allowing many companies worldwide to protect their customer accounts and their company asset without adding unnecessary friction. This news should serve as yet another proof that our data is available and thwart fraud with that data; it is imperative to use behavioral technologies that are available today.  Read Less
December 20, 2019
Vinay Sridhara
CTO
Balbix
It was not too long ago that Facebook suffered a data leak of millions of its users’ information, including phone numbers. Given the seemingly cavalier approach many consumer services take towards properly protecting data, enterprises everywhere should see this as a wake-up call. The same "move fast and break things" mantra championed by Mark Zuckerberg in Facebook's early days is being mimicked in enterprises globally. This agile approach has given developers access to data and the ability.....Read More
It was not too long ago that Facebook suffered a data leak of millions of its users’ information, including phone numbers. Given the seemingly cavalier approach many consumer services take towards properly protecting data, enterprises everywhere should see this as a wake-up call. The same "move fast and break things" mantra championed by Mark Zuckerberg in Facebook's early days is being mimicked in enterprises globally. This agile approach has given developers access to data and the ability to spin up new resources on-demand. Security teams must modify their strategies to account for this dynamic new reality.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.