Euro Security Watch with Mathew J. Schwartz

Breach Notification , Cybercrime , Fraud Management & Cybercrime

Facebook Tries to 'Scrape' Its Way Through Another Breach

Social Network Attempts 'Not Hacking' Spin on Theft of 533 Million Users' Details
Facebook Tries to 'Scrape' Its Way Through Another Breach
The road to Facebook's headquarters in Menlo Park, California

Facebook has been attempting to dismiss the appearance of a massive trove of user data by claiming it wasn't hacked, but scraped. The social network also claims that it reported the flaw that was exploited by criminals to privacy watchdogs in 2019.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

But Facebook failed to make clear that 533 million of its users had their profile names and ID numbers, locations, biographical information, email addresses and phone numbers exposed - even when users had set their phone numbers to not appear on their profile page.

On Tuesday, Facebook, for the first time, warned that the information had been stolen and then attempted to spin the breach as not having been a hack attack.

"It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019," according to a blog post attributed to Mike Clark, a Facebook product management director.

In other words, attackers breached Facebook data by "hacking" - or exploiting, if you like - what wasn't a bug, but a feature that allowed them to download massive quantities of private user data.

The obvious retort from Facebook users would be: "Hacked, scraped, breached, pwned, misconfigured or whatever - you were supposed to keep this data safe." Instead, more than 530 million users have been at increased risk of phishing and fraud thanks to criminals having access to this data.

Murky Timeline

Facebook has suffered so many data breaches that it's tough to tell them apart, although Wired last week published a must-read guide. And in this case, it's not clear when attackers began amassing all of this information, or how many different data sets may have been combined to produce it.

But Australian security researcher Aidan Steele said he filed a vulnerability report in January 2014 with Facebook, warning that he'd been able to feed made-up phone numbers into its API. Whenever the Facebook system detected that a phone number was legitimate, he says, it sent back the associated user's account details. Steele warned that the API even seemed able to return account information for users who didn't have a contact phone number listed in their Facebook profile, and it could handle more than 1,000 requests per second.

Data for Sale, Then Dumped for Free

At some point, criminals began using this feature to steal information and then offered it for sale, potentially after having combined it with data obtained from other sources.

In mid-January, Alon Gal (@UnderTheBreach), CTO of cybercrime intelligence firm Hudson Rock, first reported that a Facebook vulnerability had been exploited and used to create a database for 533 million users that gave access to many of those individuals' phone numbers.

Gal reported that someone had created a bot for the Telegram instant messaging service that, for a low fee, would provide lookups of the database. By entering a user's Facebook ID, service users could run searches, giving them the potential ability to retrieve extensive information on a Facebook user, including their phone number.

On April 3, Gal warned that "all 533 million Facebook records were just leaked for free."

Whoever was selling the information may have reached the point of declining returns and decided to dump it to hype their brand. Such an approach has been used by other data breach merchants, including ShinyHunters.

Has My Phone Number Been Pwned?

On Tuesday, Troy Hunt, who runs the free Have I Been Pwned breach notification service, said that he'd updated the service to enable users to search for phone numbers that had been stolen from Facebook.

In a blog post, Hunt said he'd never previously seen any value in allowing individuals to use a phone number to see if they'd been pwned.

"So long as there are email addresses that can be searched, phone numbers don't add a whole lot of additional value," he said. But the latest Facebook breach to come to light changed that, because while more than 500 million records had a phone number, "only a few million" also had email addresses, so more than "99% of people were getting a 'miss' when they should have gotten a 'hit.'"

Ireland's GDPR Enforcer Investigates

Meanwhile, regulators say they have questions for Facebook.

On Tuesday, Ireland's Data Protection Commission announced it is investigating the leaked data, at least some of which appeared to have been obtained by attackers who used Facebook's "phone lookup functionality," which Facebook said occurred from June 2017 to April 2018. The EU's General Data Protection Regulation came into full effect in May 2018.

"The newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period," DPC says.

The regulator said it contacted the social network over the April 3 weekend after "it received no proactive communication from Facebook." Under GDPR, breached organizations are required to share full details of an incident with regulators within 72 hours. Failure to comply can lead to fines of up to 20 million euros ($24 million) or 4% of the organization's annual global revenue - whichever is greater.

The DPC said officials at Facebook eventually told it: "The data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your office and our users with additional information.”

When Was Data Stolen?

In his Tuesday blog post, Facebook's Clark says: "We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019."

Ashkan Soltani, an independent privacy and security researcher who previously served as the chief technologist of the Federal Trade Commission, notes that criminals appear to have had access to the data until at least June 2019.

In 2019, Facebook reached a landmark $5 billion sanction agreement with the FTC. In return for agreeing to numerous security and policy changes - and promises - the agency also indemnified Facebook for any activity that occurred prior to June 12, 2019.

Also, in Europe, GDPR - as noted - came into full effect in May 2018. "Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR," Ireland's DPC reports.

But if the scraping actually took place through 2019, then Facebook could find itself at the receiving end of a full-scale investigation potentially not just by the FTC, but also by GDPR enforcers in Ireland, aiming to find out what Facebook knew, when it knew it and why it failed to notify users in a timely manner.

Let's see how the social network scrapes its way through this one.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.