Millions of Facebook recordswere found to be publicly exposed on an Amazon cloud server, showing that companies haven’t done enough to protect the private data of users. In one instance, a third-party app developer exposed 540 million records on Facebook users such as identification numbers, comments, reactions and account names. Another instance left names, passwords and email addresses for 22,000 people.
Breaking: Hundreds of millions of #Facebook records – including account names and plaintext #passwords – have been found in two separate publicly-exposed app datasets, researchers at @UpGuard found.https://t.co/vwMPIr6usZ
— Threatpost (@threatpost) April 3, 2019
Experts Comments:
KevinGosschalk, CEO at Arkose Labs:
“Social media companies are one of the most lucrative targets for cybercriminals because of all the personal identifiable information they collect and store. With 22,000 passwords left exposed to the public, it’s almost certain that they’re already available on the dark web, along with the account names included in the 540 million exposed records, for use in future cyberattacks.
Collecting massive amounts of data comes with the massive responsibility of protecting it, and the threats are not going away. This data will be used in account takeover attacks and for synthetic account creation, and companies must prepare to protect themselves. Companies need to be proactively monitoring their attack surface and shift their focus to proactive prevention — not reactive mitigation — when it comes to cyberattacks moving forward.”
Robert Prigge, President at Jumio:
“Facebook is the latest company to be entangled in a high-profile data breach leaving hundreds of millions of records exposed. This is very troubling for companies and apps that use the ‘Facebook Login’ option to authenticate user accounts. A reported 22,000 unprotected Facebook passwords were exposed, giving cybercriminalsthe credentialsthey need to access additional applications, accounts and online platforms that use this form of unsecure authentication. This attack highlights the fact that traditional authentication methods, like two-factor authentication and knowledge-based authentication, are no longer reliable or secure because they can be easily bypassed. Companies need to embraceemerging technology, such as artificial intelligence, augmented intelligence and machine learning, and adopt new authentication methods, like biometric-based authentication, to fight automated fraud and protect their online ecosystems.”
Pravin Kothari, Founder and CEO at CipherCloud:
“Vendors are still exploiting the Facebook platform to pull private information unethically.
GDPR has been active since May 2018 yet most companies do not appear to yet be compliant. The situation with Facebook and Cambridge Analyticahavebrought considerable attention to data privacy challenges and abuses. We believe that in 2019 the European Union Commission will “bring the hammer down” and levy some of the largest fines ever seen in an effort to drive compliance with GDPR.
Storing personal information collected from end users is a liability. The more you have, the greater that liability becomes. However, if you can encrypt the information then you can turn this information into a big asset for your business.
Many businesses do not realize that cloud is not bullet-proof. They expect large internet and cloud providers to take care of you, but mistakes do happen. Adversaries from any country can connect to clouds much easier than connecting to enterprise apps behind the firewall and VPN. An innocent setting change in the cloud could cause major exposure and havoc.
Another big misconception most people have is the internet and cloud providers assume all responsibility and liability for data breaches. When you review their contracts, you’ll quickly realize that all risks and liability remain only with you. Providers do not accept liability even when it’s their fault. They can provide some security, but your liability can’t be outsourced. A breach could cause businesses toshutdowndue to stiff penalties, post-breach notification and forensics costs, and reputation damage.
You should be aware that your data will be leaked in some capacity when leveraging the cloud. You should ensure appropriate measures are in place to keep your data protected.
You should wrap your cloud service and applications with a layer of a “security broker” to provide the necessary security solutions such as rights management, end-to-end data protection, and local key management.”
Tim Mackey, Senior Technical Evangelist at Synopsys:
“With increasingly stringent data protection laws going into effect across the globe, and the public’s heightened sensitivity to privacy violations, protecting sensitive data needs to be a critical priority for allorganisations. Unfortunately, the complex and evolving nature of technology today is also making this task more difficult. With troves of data being shared via APIs across complex cyber supply chains and stored in multiple clouds and data centers, it is more important than ever for organizations to build threat models and perform architectural assessments of not just their systems, but those of their partners and service providers as well. Trust but verify should be part of these modern software supply chains.
In this case, Facebook partnered with variousorganisationsand transferred user data from Facebook users to those third parties. While it ultimately falls to everyone who touches or stores sensitive data to protect that data, if yourorganisationis the source of the data you have a duty to your users to protect their information as its shared. This is a key principle of regulations like GDPR which seek to protect user data as it might be processed betweenorganisationsand ensure that appropriate safeguards are in place.
While Facebook may be in the news for continuing security issues, news coverage should serve as a wake-up call thatorganisationsof all sizes can face data protection issues unless clear policies around data ownership are defined and followed. Potential reputational damage isn’t worth taking shortcuts with user data.”
Sam Curry, Chief Security Officer at Cybereason:
“Facebook Privacy, an oxymoron or the gift that keeps on giving? In the wake of the complete face-palm of flat files containinguserspasswords in cleartext, we now have Facebook user-related information seeping into everything. Data in general is much like water in how it flows, building like am inexorable wave. Privacy data is even more like water in how it can corrode trust and erode even the mightiest digital giant. It’s beyond time for Facebook to have a plan and to be held accountable to it, and a clear message shouldechoingin all the super aggregator board rooms: get serious about privacy or face existential accountability.
Next steps for Facebook including making privacy a core value right now. Create a senior post to own privacy, staff it and back it. If someone exists, doing it now either up-levels them or fire-and-replace them. Then announce a 90 days survey. Call in independent advisors and observers. Then take 30 days to create and publish a plan in place to fix what’s broken at home and to simultaneously champion and promote privacy to chart a course for the industry.”
RenaudDeraison, Chief Technology Officer and Co-founder at Tenable:
“Seems like every other week a security issue is discovered in the Facebook ecosystem.Facebook is giving third-party app developers access to user data. That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world. App developers are focused mainly on bringing new offerings to market quickly —it’swhat consumers have come to expect. It looks like Facebook doesn’t have enforced guidelines when it comes to how its partners handle cybersecurity.As long as cybersecurity remains an afterthought in the digital economy, we’ll continue to see these kinds of easily preventable data leaks.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“For years, Facebook allowed third-party app developers to access the Facebook data of anyone who logged in with their Facebook accounts, including the basic profile information of everyone on each user’s friends list. Although Facebook has rules about how that data can be used and stored, there’s little means of Facebook actually enforcing those policies until after some damage has been done. Cambridge Analytica was the mosthigh profilecase that led to some significant changes in how Facebook interacts with third-party developers, but I suspect there are many troves of Facebook data sitting around where they shouldn’t be, including this one. And even though Facebook has limited what information third-party developers can access, there’s still nothing Facebook can do about abuse or mishandling until after the fact.”
TimErlin, VP, Product Management and Strategy at Tripwire:
“This isn’t the first time that we’ve seen sensitive data exposed on unprotected cloud storage, by any means.Organisationscan’t transfer responsibility for securingsensitive data by moving it to the cloud.When it’s technically feasible to continuously monitor Amazon storage settings for exactly this scenario, there’s no excuse for not protecting your customer datafrom this type of breach.Facebook has been caught, like so many others, by third-party partners exposing their shared data.”
DanTuchler, CMO at SecurityFirst:
“Here is yet another Facebook data privacy failure and a perfect example of why cloud security continues to be a major concern. This is probably whyonly 21% of organizations have put object storage into production. As consumers demand tighter controls of their personal data and regulations grow, organizations must use proper security tools that ensure data is protected before it is sent to the cloud.
“It’s clear that companies, especially large, high-profile ones like Facebook, have to meet regulations to secure the private data they collect. But they have a much broader problem – making sure their partners don’t expose their data, either by design or just by being careless about security practices. Perhaps it’s past the time for Facebook to lay down the law with their partners.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
“With many nations introducing data privacy protections and advocating practices to minimize data collection, data harvesters like Facebook remain at the opposite end of the spectrum. Although best practices around data security are widely adopted, including using multifactor authentication, too often negligence occurs as in this case where a server containing massive amounts of consumer data was left unprotected with zero authentication required to gain access.”
.
.
Ilia Kolochenko, CEO at High-Tech Bridge:
“The reported leak is actually not that dramatic: the 540 million record database contains mostly publicly accessible data, while the second database with passwords in plaintext contains just 22,000 records – a drop in the ocean of leaked credentials in 2018.
The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorized copies, some of which are being sold on black market already. It is impossible to control this data, and users’
privacy is at huge risk. Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties.
Facebook may now face numerous multi-million civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities.”
Rod Simmons, Vice President of Product Strategy at STEALTHbits Technologies:
“Permissions on platforms are not always clear to users, for example what an app can do when granted rights to your profile. Small and large app providers can be reckless in handling data trusted to them. Many would believe smaller organizations tend to lack the policies and processes to properly handle PII.
I am not a fan of constant government regulation, however the cost of paying for a year or two or identity protection obviously does not deter companies. If you have financialpenaltiesthey only mean something for a company in business. In this situation 22,000 records were lost and the company is out of business so there is no fine that can be paid by a bankrupt company. Jail time however is a penalty an executive cannot escape just because they go out of business
Sadlypenalties need to be financial linked to financial losses associated with a percent of top line revenue, not profit, and jail time for people in the C-suite for companies to be responsible with data in trusted to them. Many of us want to blame Facebook because they are the big bad company but this is just misuse of data. It makes you wonder, does Facebook impose financial penalties to companies that violate their policies?”
Colin Bastable, CEO at Lucy Security:
“The data includes “identification numbers, comments, reactions and account names,” so most of this is already in the public domain in one form or another – usually posted by people who use Facebook’s “free” service on the basis that Facebook can monetize the data as they see fit. Social media users have made a deal with the devil, and my take is that Facebook are living up to their part of the deal. By now, Facebook probably has a reasonable “Caveat Emptor” legal defense against data leakage, because one would have to be a hermit living under a rock not to know that Facebook is security-incontinent, and ruthlessly sells all user data. We can reasonably forecast that similar troves of data will be discovered next week.”
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“Individuals need to be aware that once you provide your information to a company likeFacebookthey will regularly sell this data onwards. This is the price paid for access to a free service but you should acknowledge that this is indeed the price you pay. While Facebook themselves have not compromised this data, they have allowed it to be freely obtained by companies with lax security measures. In this sense they’ve not aided their customers in protecting their data, rather they’ve done the opposite.
“In the age of GDPR companies mustrealisethat when they collectdatathey are responsible for it, regardless of whether they share it onwards or keep it themselves. It will be interesting to see whether litigation springs from this as I expect it might. In that case the financial and reputational damage to Facebook might prompt them to ensure the companies they do business with are held to their own security standards. We can but dream…”
CindyProvin, CEO atnCipherSecurity:
“A leak of hundreds of millions of records from any site is massive. Not only were plain textFacebookpasswords exposed online free, but the data sets were configured for easy public download – you just had to know where to look. This is like winning a lottery for cyber-criminals who can easily piece together the information and use it as bait for phishing attacks and identity theft to cash in on even more sensitive information,” said CindyProvin, CEO ofnCipherSecurity. “A leak of this magnitude certainly validates what we heard from consumers in a recent survey about cyber-security: 68% of respondents fear identity theft – and for good reason.Organisationsneed to be vigilant in today’s cybereconomy and extend their encryption policies to cover all personally identifiable information, so that it becomes useless should it fall into the wrong hands. And a final word of caution: don’t reuse passwords across sites.”
Matt Keil, Director of Product Marketing at Cequence Security:
“We anticipate a dramatic increase and malicious account takeover activity due to the fact that many applications now allow you to login with your Facebook credentials. To put it into perspective, assume that a you are using Facebook creds to log in to 10 applications, that immediately increases the threat footprint to 5.4 billion potential logins. It is analogous to a password manager being breached.”
BryanBecker, application security researcher,WhiteHat Security
“The main issue here is Facebook allowing third-party developers such broad access to users’ personal information.Besides the obvious ramifications that came to light from the Cambridge Analytica scandal, the more common ramification is that these third parties probably do not have the same standards as an organization, as large as Facebook. Once the data has left Facebook’s hands, they have very little sight into where it goes. Also, unsecured S3 buckets are a common problem (around 7 percent are unsecured). Amazon gives developers the tools to secure their data, but not every team is ready with the knowledge of how to do it correctly, or why it’s important.These ‘leaky buckets’ lead to the kind of data exposures we see here.”
;
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.