Questions are piling up one after another publication of data on hundreds of millions of Facebook usersThe massive database, first uploaded to Telegram in January 2021, ended up on a site dedicated to hackers. Half of French users affected with this leak.
The case was revealed by cybercrime expert Hudson Rock co-founder Alon Gal on April 3. Facebook has since acknowledged the facts, trying to clear customsWe have summarized all the information regarding the leak for a clearer view.
How big is the leak?
According to Alon Gal, 533 million users affected by piracy. In France, 20 million members of the social network were affected, half of the total number of accounts in France. The expert explains that the database is similar to hundreds of millions of phone numbers that were offered for sale on Telegram in January 2021. Among the stolen data, we also find: the name of the associated profiles, the email address of their owners, their dates of birth and even their place of residence. No passwords, banking information or medical information has been disclosed for now. In total, The victims come from 106 different countries.
How did the pirates do it?
The flaw that allowed the leak was: Discovered in 2019 By Facebook teams. It was patched in August of that year, but it was clearly not detected quickly enough. Facebook states in an official press release that the vulnerability was found within the scope of the function of importing contacts via a phone numberThe group explains this “This data was collected by malicious actors prior to September 2019 through a ‘scraping’ technique, not following a hack of our platforms. This allows the extraction of publicly available data using software and their distribution in certain Internet forums. The data was later offered for sale first on the dark web and then found for free on a forum.
What do victims risk?
The good news is that the database doesn’t contain any username/password combinations, so anyone who has access won’t be able to connect to an account that doesn’t belong to them. The same goes for banking information: theoretically, there won’t be any theft or unwanted transfers. But that doesn’t mean that stolen data can’t be used for malicious purposes. “Malicious actors will likely use this information for blackmail, fraud and marketing purposes.”predicts Alon Gal. Moreover, since cybercriminals have access to a large number of email addresses, the risk of phishing campaigns spreading on a large scale is very real.
Can I find out if I have been attacked?
Yes. We have published an article explaining how to check if your data is corrupt. To do this, it is possible to consult the extensive HaveIBeenPwnd database, which is updated after the personal information is published. However, for security reasons, you will not be able to access the leaked data. If your name appears among the victims, we strongly recommend that you do so. Change your Facebook account credentials and, if possible, the relevant telephone number.
How to get compensation?
Alain Bensoussan, a lawyer specializing in computer fraud and cybercrime, explains to franceinfo: Four potential legal remedies for victims : “A liability case against Facebook, a liability case against a hacker (who allegedly used a user’s personal information for fraudulent purposes), a complaint to the CNIL and class action lawsuit in court.” But he doubts the merits of the procedure. According to him, “There will be a difference between the cost of the transaction and the ultimate damage”, especially becauseHackers do not have access to any sensitive information or private messages.
How did Facebook react?
Facebook spoke out via its director of product management, Mike Clark, in a blog post on Wednesday, April 7. In this latest, The social network admits that it has been aware of the flaw since 2019. But he decided not to warn either the authorities or the users. To justify his choice, he explains: ” LMalicious people did not obtain this data by hacking [ses] recovery from systems, but not recovery from them [sa] platform before September 2019.” Also the leak occurred Before the implementation of the GDPR end of 2018, “Facebook chose not to report this as a personal data breach under GDPR.” Refers to the Irish Data Protection Commission. Many experts dispute this decisionLike Zack Allen who believes this “It would be wrong to say that a situation is not that serious just because it is old data. Additionally, phone numbers are often used as a form of authentication these days, and that can be very scary.[au vu de la situation]».
