Since Saturday, a A massive trove of Facebook data has circulated publicly, splashing information from approximately 533 million Facebook users across the Internet. The data includes things like profile names, Facebook ID numbers, email addresses, and phone numbers. It is all the kind of information that may have already been leaked or extracted from some other source, but it is another resource that links all that data, and links it to each victim, presenting neat profiles to scammers, phishers and spammers in a tray silver.
Facebook’s initial response was simply that the data was previously reported in 2019 and that the company patched the underlying vulnerability in August of that year. Old news. But a closer look at where, exactly, this data is coming from produces a much darker picture. In fact, the data, which first appeared on the criminal dark web in 2019, comes from a breach that Facebook did not disclose in any significant detail at the time and only fully acknowledged on Tuesday night in a blog post attributed to the Director of Product Management Mike Clark. .
One source of confusion was that Facebook has had breaches and exposures from which this data could have originated. Were the 540 million records, including Facebook IDs, comments, likes, and reaction data, exposed by a third party and disclosed by the security firm UpGuard in April 2019? Or was it the 419 million Facebook user records, including hundreds of millions of Facebook phone numbers, names, and IDs, pulled from the social network by bad actors prior to a 2018 Facebook policy change, that were publicly exposed and reported by TechCrunch in September 2019? ? Did it have anything to do with the Cambridge Analytica third-party data sharing scandal of 2018? Or was it somehow related to Facebook’s massive data breach of 2018 that compromised access tokens and virtually all personal data of some 30 million users?
In fact, the answer does not appear to be any of the above. As Facebook finally explained in background comments to WIRED and on its Tuesday blog, the recently public hoard of 533 million records is a completely different set of data that attackers created by abusing a flaw in a contact import feature from the Facebook address book. Facebook says it fixed the vulnerability in August 2019, but it’s unclear how many times the bug was exploited before then. Information from more than 500 million Facebook users in more than 106 countries contains Facebook IDs, phone numbers, and other information about early Facebook users such as Mark Zuckerburg and US Secretary of Transportation Pete Buttigieg, as well as the data protection commissioner of the European Union. Didier Reynders. Other victims include 61 people who list the “Federal Trade Commission” and 651 people who list “Attorney General” in their details on Facebook.
You can verify whether your phone number or email address was exposed in the leak by checking the HaveIBeenPwned violation tracking site. For the service, founder Troy Hunt reconciled and ingested two different versions of the dataset that have been floating around.
“When there is an information gap in the organization involved, everyone speculates and there is confusion,” says Hunt.
The closest Facebook came to acknowledging the source of this breach previously was a comment in a fall 2019 news article. That September Forbes reported a related vulnerability in Instagram’s mechanism for importing contacts. The Instagram bug exposed users’ names, phone numbers, Instagram identifiers, and account identification numbers. At the time, Facebook told the investigator who revealed the flaw that Facebook’s security team “was already aware of the problem due to an internal finding.” A spokesperson said Forbes at that time, “We have changed the contact importer on Instagram to help prevent potential abuse. We thank the researcher who raised this issue. ” Forbes noted in the September 2019 story that there was no evidence that the vulnerability had been exploited, but no evidence that it had not been.