Facebook downplays 'old' breach exposing info on 533 million users

·4 min read
Facebook says the unauthorized access to user data, which may have included 3.5 million Canadians, happened almost two years ago via a vulnerability they have since closed. (Chris Ratcliffe/Bloomberg - image credit)
Facebook says the unauthorized access to user data, which may have included 3.5 million Canadians, happened almost two years ago via a vulnerability they have since closed. (Chris Ratcliffe/Bloomberg - image credit)

Facebook is downplaying the significance of a data breach that saw the personal information of 533 million of its users accessed online, saying the information is old and the vulnerability that was exploited was closed almost two years ago.

Over the weekend, Business Insider reported that personal information of Facebook users in 106 countries was found on a low-level hacking forum, free of charge. Cybercrime intelligence firm Hudson Rock calculated that almost 3.5 million Canadians were included.

Information included names, phone numbers, locations, birth dates, email addresses and other identifying details. No financial or payment information was accessed, Facebook said.

In a statement on its website Tuesday the social media giant said the information was gathered via a vulnerability the company fixed almost two years ago, and disputed that it was a hack.

Data scraped, not hacked: Facebook

"It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019," said product management director Mike Clark.

Scraping refers to the act of gathering information that is already out there but somewhat hidden on public databases.

The company said whoever collected and assembled the data did so by abusing the contact importing service, which allows users to find other people in their network on Facebook.

This chart shows the biggest data breaches of all time
This chart shows the biggest data breaches of all time(Tim Kindrachuk/CBC)

Facebook said whoever did it seems to have uploaded a large set of phone numbers to see which ones matched Facebook users.

David Masson, director of enterprise security at cybersecurity firm Darktrace, says the information has likely been out there and spread widely for a while, before being outed recently.

"It's been on the Web for quite a while, probably for sale to people," he said. "But now somebody's just offered it up for free."

Building a profile

Greg Wolfond, CEO of data security firm SecureKey, said that in a vacuum, much of the information taken can seem innocuous and harmless, but when taken together can be very dangerous.

"What the hackers do is they try and get little bits of data about you in this case something like your phone number," he told CBC News in an interview. They can then combine that with other bits of information — an address, a full name — and start building a profile.

What's most dangerous is once they have gathered enough to attempt to gain access to a cellphone account. With the right combination of information, a telecom company may allow someone walking in to port the account number to a new phone.

Cybersecurity expert David Masson with Darktrace says Facebook users shouldn't assume the company's size and scope make them better at fending off attacks.
Cybersecurity expert David Masson with Darktrace says Facebook users shouldn't assume the company's size and scope make them better at fending off attacks. (Darktrace)

"They take over your phone, and within minutes of taking over your phone, they're trying to get into your bank account, to get into your Facebook account, your Google account, whatever you use that phone as your recovery for," he said.

Typically, consumers are urged to fight data theft by doing things like changing passwords frequently, and making them complex. But those things are of little use when companies claim the right to reams of data about their users, and promise to keep it safe.

"Empowering individuals to share their data and putting a responsibility on parties that have the data to keep it secure,
is super important," he said.

Not Facebook's first user-info incident

The breach is far from the company's first misstep with user information.

In 2018, the social media giant disabled a feature that allowed users to search for one another via phone number following revelations that the political firm Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or consent.

In December 2019, a Ukrainian security researcher reported finding a database with the names, phone numbers and unique user IDs of more than 267 million Facebook users — nearly all U.S.-based — on the open internet.

LISTEN | Protecting your data while working remotely:

Facebook says it will continue to aggressively go after "malicious actors who misuse our tools." It touted its dedicated team focused on this work, but Masson says users shouldn't make the mistake of assuming that the company's size and scope somehow make it better equipped to keep user data safe.

"It doesn't matter how big or sophisticated you are, they can be attacked," he said.

Like many breaches, this one was only discovered long after the fact, and that's because the technology companies use isn't keeping up with the ones the hackers are using.

"There are better technologies that actually work on what happens once the bad guys get inside your network rather than when they're banging on the door outside. So people [have] got to realize this will happen again.