You are here

You are here

Over a quarter-billion Facebook profiles served (at 0.0002¢ each)

Richi Jennings Your humble blogwatcher, dba RJA

Criminals are selling 267 million rows of Facebook data on the dark web. It’s not thought to be a new leak, but if your name’s in there, you might be surprised how cheap your data is. 

Columns include full name, email address, phone number, and date of birth. In other words, enough for a convincing phishing campaign.

Another day, another Facebook PII scare. But in this week’s Security Blogwatch, we learn lessons for IT, DevOps, and DevSecOps.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Duh.


What’s the craic, Zak? Mister Doffman reports—Hackers Just Sold 267 Million User Profiles For $540:

The data included email addresses, names, Facebook IDs, dates of birth and phone numbers. All of which is a perfect set of data with which to craft a text or email phishing campaign on behalf of Facebook.

This data is likely from a past breach and does not suggest current weaknesses with Facebook’s systems. [But if] users click the link and enter their details into a spoofed Facebook login page, much more valuable data can be stolen.

The number 267 million will ring bells. … Late last year, that same number of mostly U.S. records was found online for sale.

Users are well advised to change their passwords. … With email addresses in hand, attackers can match those addresses against breaches which do include passwords.

And Lawrence Abrams adds—267 million Facebook profiles sold:

Last month, security researcher Bob Diachenko discovered an open Elasticsearch database that contained a little over 267 million Facebook records. … The ISP hosting the database eventually took the server offline after being contacted by Diachenko. … Diachenko believed that [criminals] stole the data using the Facebook API before it was locked down or via scraping public profiles.

The database being sold … could allow attackers to create spear-phishing campaigns that aim to steal your password using email campaigns or SMS texts that pretend to be from Facebook. If the phishing emails contain information such as dates of birth and/or phone numbers, some users may be more prone to believe them and thus provide the attackers with the requested info.

Who bought it? Cyble’s Beenu Arora and chums—267 Million Facebook Identities for 500 Euros:

Yes, that’s true and scary at the same time. [We] executed the sale and were able to download and verify the data.

Given the data contain sensitive details on the users, it might be used by cybercriminals for phishing and spamming. … Users [should] tighten their privacy settings on their Facebook profiles, and be cautious of unsolicited emails and text messages.

Wait. Pause. Knowingly receiving stolen property is a crime in many jurisdictions. So mabu has this important question:

How is it legal for companies like that to buy illegal info and then monetize it?

What can be done? Paul Wagenseil guides us—What to do:

Unfortunately, there's not a whole lot you can do about this right now. Names and phone numbers aren't secrets, for the most part.

Cyble has bought a copy of the database … but you'll have to pay for the privilege of looking up your own name or email address to see if it's … in this data dump.

We would be glad to see the free HaveIBeenPwned breach-lookup service adding the data as well, although site operator Troy Hunt might have to consider adding an option to search by name. … The best solution of all might be for Facebook to … notify each affected individual about the compromise.

It’s about oversight. Or so says onyxruby:

Facebook needs to get real about vendor management and auditing their vendors to ensure that they are compliant with their policy standards. This is a failure of their management oversight process.

If they failed with this vendor than there is a fair chance that they have likely failed with other vendors as well. There needs to be a comprehensive review … of their entire vendor management program.

And Lisa Vaas shoots this naked pun—Stop exposing yourself:

The less PII you spread around, the less ammunition you give scammers to lure you into clicking on something dangerous in email or SMS text, or into telling them more than you should on the phone. The more scammers know about you, the more convincing they sound.

This breach has already given attackers one piece of the authentication puzzle they need to hijack your accounts. … Which adds up to it being a truly bad idea to use a password twice.

If you’re not already securing your Facebook account with two-factor authentication (2FA), now is a good time to turn that on. … In Facebook, you can turn on 2FA by going to Settings > Security and login.

One might think i'm probably drunk needs an intervention:

If government wants to fight big tech … Here's how to do it: Even a minuscule $100 fine per violation is $26.7 billion dollars.

Meanwhile, BringsApples LITERALLY brings apples: [You’re fired—Ed.]

If you use Facebook, you're literally causing this lobotomy on society.

The moral of the story?

How closely do you audit your partners’ API use? Are you checking passwords against lists of compromised credentials?

And finally


Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Mr. Blue MauMau (cc:by)

Keep learning

Read more articles about: SecurityInformation Security