Facebook ducks calls to apologise over huge data leak
Facebook has tried to deflect criticism of its data safety practices whereas ducking calls to apologise for a leak of personally identifiable info (PII) on a whole lot of tens of millions of its customers after malicious actors abused a contact-finding characteristic.
Facebook believes the data was taken utilizing the contact importer characteristic prior to September 2019. This service was supposedly meant to assist customers of the leaky platform discover their pals to join with by importing their contact lists from their cell phones.
It mentioned that malicious actors supposedly used software program to imitate the Facebook app and add a big set of cellphone numbers to see which matched Facebook customers. When they obtained successful, they might question that profile to scrape info that the consumer had unwisely left public. Facebook locked this loophole down in September 2019.
In a statement, Facebook’s product administration director, Mike Clark, mentioned: “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to 2019.”
Clark went on to elaborate on the distinction between scraping and hacking, saying that there was “still confusion about this data” however he failed to acknowledge the considerations of Facebook customers or concern any type of apology to the roughly 533 million people who, thanks to Facebook’s easily-abused system, had their data compromised.
“We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible,” mentioned Clark.
“While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.”
Adam Enterkin, senior vice-president for international gross sales at BlackBerry, mentioned breaches of any measurement – not to mention one affecting half a billion folks – ought to now not be tolerated, and that Facebook should take full accountability for the data stolen.
“Organisations must not forget that all personal data in their care is equally valuable. If you collect it, protect it. It is imperative to ensure that appropriate security controls are implemented to keep all data safe from inappropriate or unauthorised access,” mentioned Enterkin.
“Additionally, while it’s possible to have security without privacy, it’s impossible to have privacy without security. Privacy is about the ethical and responsible handling of personal data. This is why security is an integral part of ensuring that transparency of privacy practices can be achieved.”
Avast senior international risk communications supervisor, Christopher Budd, mentioned that whereas the data theft was outdated information, the most recent developments meant the danger to these impacted was now vastly elevated.
Budd described the lack of cellphone numbers that may be related with e mail addresses as “particularly worrisome” as a result of the percentages have been good that for almost all of these impacted, the cellphone quantity and e mail mixtures can possible be used to receive an SMS code to login to their e mail accounts.
“This means those users are at increased risk for attackers to try SIM-swapping to redirect SMS-based codes to devices under their control and get access to the target’s email,” he mentioned. “Because email accounts are where ‘I forgot my password’ resets go, this is the easiest, most efficient and effective way for attackers to take over your digital life by first hijacking your email account and then using that to take over your other accounts.”
“Facebook hasn’t notified users whose data has been stolen and there’s no simple, safe way to tell if you’ve been affected,” mentioned Budd. “Because of this, if you had a Facebook account in 2019, you should assume your data has been lost and take steps to better protect yourself.”
The optimum technique at this level is to change your Facebook-linked e mail account from password-only or password and SMS-based codes to utilizing an authenticator app, which removes the cell quantity from the equation and mitigates a number of the threat. Such apps are supplied by each Google and Microsoft.
“Moving to an authenticator app is increasingly a recommended best practice in the security community, as attackers have found ways to effectively counter SMS-based codes and their attacks are getting easier and cheaper for them,” mentioned Budd. “At this point, it’s really a question of when, not if, people move off of SMS-based codes to authenticator apps. This latest sizeable data breach for Facebook can and should be a motivation for many people to do so sooner rather than later.”
One must also be extra on guard than traditional to tried cell phishing, or smishing attacks, and for those who could also be a higher-value goal – for example a healthcare employee or authorities worker – change your cell quantity.