Over 267 million Facebook records including users’ profile IDs, names, and phone numbers have been put up for sale by a hacker on a Dark Web forum for £500, security researchers have found.
In December last year, security researcher Bob Diachenko discovered a publicly-accessible and unsecured Elasticsearch database on the web that contained over 267 million Facebook IDs, phone numbers, full names, and timestamps. While most of the data stored in the unsecured database belonged to US citizens, Diachenko has reason to believe that such data records were scraped or obtained by a criminal organisation located in Vietnam.
The unsecured database was indexed by a search engine on 4th December and discovered by Diachenko on the 14th. According to Comparitech who partnered with Diachenko to investigate the unsecured database, cyber criminals could have obtained the information from Facebook’s developer API that gives developers access to profiles, friends list, groups and photos. Until 2018, developers could also access phone numbers associated with unique Facebook profiles.
On 4th March, Diachenko discovered another unsecured server that contained an additional 42 million records, 16.8 million of which included Facebook IDs, phone numbers, profile details, email addresses, gender and dates of birth. According to Diachenko, the server was "attacked and destroyed by unknown actors" after he alerted the hosting provider about its existence.
While both servers are not publicly accessible, cybersecurity intelligence firm Cyble has now discovered that hackers are now selling Facebook records stolen from the unsecured database on a Dark Web forum for £500. Cyble researchers bought the database to verify the authenticity of the data and added it to their http://AmIbreached.com breach notification service.
"At this stage, we are not aware of how the data got leaked at the first instance, it might be due to a leakage in third-party API or scrapping. Given the data contain sensitive details on the users, it might be used by cybercriminals for phishing and spamming, said Cyble CEO Beenu Arora to Bleeping Computer.
Encryption and tokenisation could have prevented hackers from accessing Facebook records
While it has been confirmed that the database did not contain users' passwords, it contained enough information like email addresses and phone numbers that could be used by hackers to run spear-phishing campaigns in an attempt to steal passwords or to impersonate Facebook users. Cyble has recommended Facebook users to increase their security measures by changing their account settings and pay attention to unsolicited emails and text messages.
Commenting on hackers selling a treasure trove of Facebook user data on Dark Web forums, Trevor Morgan, Product Manager at comforte AG, told TEISS that “it's easy to assume that large corporations, like Facebook, have the appropriate security measures in place but the fact that so much PII was available is deeply concerning. If encryption and tokenization were leveraged, then we would not be reading as to why 267 million user profiles are being sold on the dark web.
"Encryption and tokenization are actually more important than access security because the data would be protected in a way that makes the data meaningless and worthless to a hacker or bad actor. Meaning the data could not be listed for sale on the dark web because the data would be undecipherable.
"The takeaway here should be – “If you collect it, protect it.” Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases.
"As a tie-in to 'collect and protect' is the notion that protecting data as early as possible, preferably at first touch, is key to the most effective level of protection. Couple that with the strategy of de-protecting data only when absolutely necessary and as infrequently as possible in your data workflows. Abiding by these guidelines certainly can facilitate a safer data environment," he added.