It has happened again. Facebook has suffered from a data leak, exposing data of 267 million of its users.
Facebook is once again in the spotlight. This time, it’s not for reasons Facebook wants to be in it. The social network has suffered from yet another data leak. In all, 267 million Facebook accounts have been compromised. The leak is being blamed on the ever broken record of a misconfigured cloud server. From InfoSecurity:
“One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018,” explained Comparitech’s Paul Bischoff.
“Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.”
The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.
The database itself was first indexed on December 4, with the data posted on a hacker forum eight days later. Diachenko discovered it on December 14 and notified the ISP managing the IP address, and five days later it was made unavailable.
This is by no means the first time this has happened. Back in September, Facebook suffered from another data leak. That one weighed in at a whopping 419 million accounts compromised. In April, both Facebook and Instagram suffered from another data leak. In all 540 million accounts were exposed. Then, in July, Facebook was hit with a $5 billion fine for privacy violations related to the Cambridge Analytica data mining scandal.
Of course, with the high profile nature of the Cambridge Analytica scandal, Facebook wound up with the image of a site that is, well, the exact opposite of a company you want to guard your private information. Then, something curious happened. After they announced that they would implement end-to-end encryption, the US, UK, and Australia jointly demanded Facebook back off of this idea in October. Germany would later join the coalition against effective security. After significant pressure, Facebook re-iterated their stance that they aren’t implementing backdoors in their encryption. Because of this high stakes tug of war between companies and the government, Facebook wound up dropping their image of being a threat to privacy and became more of a key player as a defender of security and privacy.
This latest leak is yet another reminder of that previous image. It’s that image of a Facebook that simply collected everything about you, then sold it to private companies. After that, not a care in the world about what becomes of that personal information. The timeline of this leak suggests that this is another component of that past. Facebook will no doubt quickly point out that this leak also happened before their policy changes. They will likely say that they have since changed and that such things will become a thing of the past. At least, that is likely the hope given how much this latest leak could threaten to undermine the privacy image the company has been building up in the last year.
Drew Wilson on Twitter: @icecube85 and Facebook.
