Photo by Thought Catalog on Unsplash
December 25, 2019 – Facebook finds itself in the midst of another data breach as researcher Bob Diachenko finds information of over 267 million users unprotected on the web. Diachenko mentions in his study for UK-based tech research firm Comparitech that the data was accessible for at least 15 days.
The exposed data contained full name, unique Facebook ID, phone number, and timestamp mostly of US-based Facebook users, and a fraction of it was that of Viatnamese users. While the researcher says it’s unclear how the data was gathered, the possibility is that it was either collected via Facebook’s developers API through a potential security loophole, or was scraped through publicly available Facebook profile information on the internet.
The article posted on Comparitech’s website defines ‘scrapping’ as “a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database.”
Diachenko further finds that the data was first posted on the internet on December 4, and was discovered by him on December 14 when he immediately reported it to the internet service provider (ISP) that was managing the IP address of the server. The data was then removed from the server on December 19. However, the research notes that it was further posted as a downloadable file on a hackers forum on December 12, making it possible for copies of this data to still be available online. Diachenko chose not to contact the ‘owner of the database’ since it was suspected to be a criminal organisation.
Although this data didn’t contain financial or login information of the users, and has the potential to be used for SMS spamming, scam or phishing attack to acquire login details of individuals whose data has been compromised, there are chances for this information to be combined with that leaked in multiple breaches in the past making it possible for the collective data to pose considerable harm to the security of these users.
Sadaf Khan, director and co-founder of Media Matters for Democracy (MMFD), a Pakistan-based not for profit digital rights advocacy group, said, “Facebook data continues to be breached repeatedly and is constantly at the risk of falling in the hands of a criminal waiting to exploit the collection of this information. The data that Facebook holds on its 2.45 billion users has potential of being misused and abused in ways that are unimaginable to its general users. The sophisticated tools and mechanisms through which it was used to disrupt democratic processes like US Presidential Elections of 2016 and later by LeaveEU campaign in Britain, only leaves users to wonder the cost of an otherwise free platform”.
She added, “Facebook continues to attempt to regain the trust of those who demand transparency and accountability from its management, incidents like the one revealed by Diachenko only reflects inability of Facebook to be able to protect information of its 2.45 billion users”.
Speaking on the aftermaths of data-leak incidents such as this one, Asad Baig, the founder of MMFD highlighted the importance of platform responsibility in protection user-data. “After every instance of this nature, a global debate of importance of privacy begins where most of the responsibility of protecting the data of users is dropped on the users themselves, giving long-term immunity to platforms and regulators to extend strong security mechanisms and policies for the protection of the people”.
“Platforms need to take the responsibility of these leaks, and they need to be accountable to their users for every incident of data leak”, he added.
Hija is a Programs Manager at Media Matters for Democracy. She combines her experience in digital rights in Pakistan to lead digital rights and internet governance advocacy of MMfD. She tweets at @hijakamran