Ne’er-do-wells leaked personal data, including phone numbers, of some 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being pulled from profiles. In my opinion, this only reinforces the need to remove mobile phone numbers from all of your online accounts whenever possible. Meanwhile, if you are a Facebook
product user and want to know if their data was leaked, there are easy ways to find out.
The HaveIBeenPwned project, which collects and analyzes hundreds of database dumps containing information on billions of leaked accounts, has incorporated the data into its service. Facebook users can enter the mobile phone number (in international format) associated with their account and see if those digits were exposed in the new data dump (HIBP doesn’t show you any data, it just gives you a yes / no on yes their details are shown above).
The phone number associated with my last Facebook account (which I deleted in January 2020) was not on HaveIBeenPwned, but again Facebook claims to have over 2.7 billion monthly active users.
It appears that much of this database has been spinning underground cybercrime in one form or another since last summer, at least. According to a Twitter post from January 14, 2021 from Under the Breach’s Alon Gal, the database of 533 million Facebook accounts was first put up for sale in June 2020, and offers Facebook profile data for 100 countries, including name, mobile phone number, gender, occupation, city, country and marital status.
Under the gap also said in january that someone had created a Telegram bot that allowed users to query the database for a low fee and that allowed people to find the phone numbers linked to a large number of Facebook accounts.
Many people may not consider your mobile phone number private information, but there is a world of misery that bad guys, stalkers, and disgusting people can visit in their life just by knowing your mobile number. Sure they could call you and harass you that way, but they are more likely to see how many of your other accounts, on major email providers and social media sites like Facebook, Twitter, InstagramFor example, trust that number to reset your password.
From there, the target is primed for a SIM swapping attack, in which thieves trick or bribe mobile phone store employees into transferring ownership of the target’s phone number to a controlled mobile device. by the attackers. From there, criminals can reset the password of any account that mobile phone number is linked to, and of course, intercept any unique token sent to that number for multi-factor authentication purposes.
Or the attackers take advantage of some other privacy and security issue in the way SMS text messages are handled. Last month, a security researcher showed how easy it was to abuse services intended to help celebrities manage their social media profiles to intercept SMS messages for any mobile user. That weakness has supposedly been fixed for all the major wireless service providers now, but it really makes you question the current sanity of relying on the Internet equivalent of postcards (SMS) to safely handle quite sensitive information.
My advice has long been to remove phone numbers from your online accounts whenever you can and avoid selecting SMS or phone calls as a second factor or unique codes. Phone numbers were never designed to be identity documents, but that is what they have effectively become. It’s time we stopped letting everyone treat you that way.
Any online account you value should be protected with a unique, strong password, as well as the strongest form of multi-factor authentication available. Usually this is a mobile app like Authy or Google Authenticator that generates a one-time code. Some sites like Twitter and Facebook now support even stronger options, like physical security keys.
Deleting your phone number can be even more important to any email account you may have. Sign up with any online service, and it will almost certainly require you to provide an email address. In almost all cases, the person in control of that address can reset the password for any associated services or accounts, simply by requesting a password reset email.
Unfortunately, many email providers still allow users to reset their account passwords by texting a link to the phone number registered for the account. Therefore, remove the phone number as a backup for your email account and make sure a second stronger factor is selected for all available account recovery options.
Here’s the thing: Most online services require users to provide a mobile phone number when setting up the account, but they don’t require the number to remain associated with the account after it is established. I advise readers to remove their phone numbers from accounts whenever possible and to take advantage of a mobile app to generate one-time codes for multi-factor authentication.
Why did KrebsOnSecurity delete your Facebook account at the beginning of last year? Sure, it could have something to do with Facebook’s relentless stream of privacy breaches, leaks, and betrayals over the years. But what really bothered me was the number of people who felt comfortable sharing extraordinarily sensitive information with me on things like Facebook Messenger, while hoping that I could attest to the privacy and security of that message just by virtue of my presence on the platform. . .
In case readers want to get in touch for any reason, my email here is krebsonsecurity in gmail dot com, or krebsonsecurity at protonmail.com. I also respond to Krebswickr on the encrypted messaging platform Wickr.