If you were a Facebook user in 2019, it’s possible that your information is among the millions of records posted on a website used by hackers.
Cyber intelligence firm Hudson Rock over the weekend revealed that personal information from 533 million Facebook accounts was leaked, including names, phone numbers, Facebook IDs, locations, account creation dates, birthdays, relationship statuses, bios and, in some cases, email addresses. The breach includes data from more than 32 million accounts in the United States, 11 million in the United Kingdom and 6 million in India.
Facebook (FB) said the data is from a previously reported breach that occurred in 2019.
“We found and fixed this issue in August 2019,” Facebook spokesperson Andy Stone told CNN Saturday.
However, for many users, information they had on their Facebook profile in 2019, such as phone numbers and birthdays, likely hasn’t changed in the past two years. And that means the data could still be useful to hackers or other bad actors.
“Although this was due to an old breach [and] this is old information, now it’s out there in the public domain,” said Jeff Dennis, partner and head of the privacy and data security practice at law firm Newmeyer Dillion. “Anyone who has basic search skills can now go find that database and exploit it, which was not the case when the data was originally taken.”
Here’s what users should know about how the leaked data could be used, and how to protect themselves.
How could bad actors use the data?
The news of the leak is definitely not good. But it’s also not necessarily a reason to panic.
The truth is that data breaches have, unfortunately, become fairly common for a wide range of online services. So, unless you hardly ever use the internet or mobile apps, it’s likely that much of your personal information is already out there where bad actors could find it.
The types of information exposed in the recent Facebook leak are also not the most useful to hackers, unlike data such as credit card information or social security numbers.
“The silver lining here is that this data is not that valuable to attackers to conduct any sort of damning attack against an entity or a person,” said Vikram Thakur, technical director at Symantec, a security software firm that’s now part of Broadcom (AVGO). “The information is not that granular that it can somehow impact one’s identity or one’s personal life.”
Still, there are a number of ways that bad actors could exploit the leaked information.
First thing’s first: There are websites, including haveibeenpwned.com, where users can see if their email or phone number was potentially involved in the breach. The method, however, is not foolproof — and Facebook has not said whether it will alert those whose information was hacked — so users should be on the lookout for potential misuse of their data whether or not they show up on such a site.
Because the breach includes names and phone numbers, it could lead to an uptick in robocalls or text messages (which are already a huge problem). Scammers are the most obvious potential users of leaked phone number data, but technically anyone could search the database and find this info — so people may also want to be aware of the potential for other strangers to get their digits.
“It’s actually very easy to search through this data … in a few seconds, you can easily find anybody’s information that you are looking for,” Thakur said, though in a cache of 533 million records, if someone has a common name, finding their information could become more difficult.
The data could also be used for carrying out social engineering attacks, such as phishing. Typically, a social engineering attack involves a bad actor imitating a legitimate person or organization, including a bank, company or coworker, in order to steal data such as login credentials, credit card numbers, social security numbers and other sensitive information.
Although the Facebook breach won’t necessarily lead to an increase in the volume of phishing attempts, the fact that so many different types of information on each single user is available as a result of this hack it could make them appear more credible, and thus more successful.
“It would be very hard, as a user, to see through some sort of phishing campaign when they’re using information that you thought was very private to you, such as information that would be found on Facebook in your bio section,” Dennis said. “Particularly, when you combine it with location information, you can see how bad guys would start to use this information in a very sinister but effective way.”
How to protect yourself
The breach is a reminder that no information users share with online services can ever be absolutely guaranteed to be secure and private.
“As good as our defenses are, the bad guys are continuing to evolve faster than we can protect ourselves and faster than companies can protect the information, so you just need to be aware,” Dennis said. “I wouldn’t put anything on Facebook that you wouldn’t want put in a public database somewhere down the line.”
Affected users, and anyone whose information could have been exposed, should keep their eyes peeled for potential scams or phishing attempts.
A good rule of thumb, according to Thakur: “Only give out your information when you are the one initiating the conversation. If somebody asks you for your social security, your password, your credit card number, even your name, there is no need for you to put it in anywhere … unless you’re the one initiating the conversation or the transaction.”
In other words, if you get a phone call or email from someone purporting to be from your bank, or your doctor’s office, or a company you recently shopped at asking for sensitive information, do not hand it over. Hang up. Then find a trusted phone number for that place — from the back of your credit card, the doctor’s website, or the official email receipt you received from the company — and give them a call to determine if the request was legitimate.
More generally, the situation is also a good reminder to take steps to preserve your data “hygiene,” as experts sometimes call it, such as using different passwords for each website, changing passwords frequently and using two-factor authentication.