Blog / Facebook scraped for massive amounts of data
In case you haven’t heard, Facebook has had a data breach. A big one. How big? A little over 500 million records (about 20% of it’s users). In fact it was so big that the website haveibeenpwned.com added a totally new search feature when the information was posted. So yeah, it was pretty big.
But how did so much data get stolen? Whomever was behind the breach made use of a bug in the contact import feature in order to scrape the data from Facebook.
The bug was fixed back in 2019 so it’s actually no longer a problem, and we’ll go into how it was exploited later. But it still leaves two questions:
What exactly was taken? And what the heck is “scraping” anyway?
I’ll tackle the easy one first. The hackers got ahold of information marked as “public” on a massive number of Facebook users. If you go into the About section on your Facebook profile, you’ll see you can fill in details about your date of birth, your phone number, address, email, and more. You also have a choice about who can see it. You can make your details visible to the public, only to your facebook friends, or entirely private, along with a few other options. In any case, a bad actor managed to skim through a massive number of Facebook users and grab that public data (with easy access now available on the darkweb for about $3).
Now the harder question. What the heck is “scraping”?
Scraping is when a hacker uses a tool to automatically scan through a website looking for information. Think of it like a snowplow; you’re not trying to dig into the road, just getting the stuff that’s sitting on top. The problem is that scraping is a well-known attack, and websites are now intentionally designed to make scraping difficult. The next time you visit Facebook take a look at the URL and see if it makes any sense.
As we mentioned before. the bug that made this breach possible was fixed back in 2019, but apparently if you were using Facebook’s contact import feature someone could leverage that to cycle through accounts easily. Also, I assume that Facebook probably didn’t consider the import feature an attack vector at the time. They probably weren’t even watching it for unusual behavior (like an massive number of possible contacts originating from a single account). The attacker found a way to convince Facebook that the victims were possible contacts, then visited their profile and gather any information they’d made public, and then move on to the next user, and the next, and so on.
A lot of people put way to much personal information up on social media without having any real understanding about how it can be used against them. This is evidenced by the fact that over 500 million records were gathered, with many of them including address information and phone numbers. If your personal information is public on Facebook (or was back in 2019) then you should go and check the haveibeenpwned website to see if your information was part of the breach. Depending on which of your details are public on Facebook, there may be enough information out there for someone to successfully impersonate your identity (or worse, track you down and/or harass you with ease).
Social Media is a great tool for keeping in touch with people, and with the world on lockdown it’s seeing a surge in usage. Unfortunately, many people still don’t truly understand the digital world. They look at all this information that they can put into their account and say “What’s the harm?” Well, that depends entirely on who gets their hands on the information and how badly they want to profit from it. The more information they have, the easier it is to profit off of at your expense.
For today’s drop of Shakespeare I’ll take from Julius Caesar, Act I Scene II “Men at some time are masters of their fates: The fault, dear Brutus, is not in our stars, But in ourselves, that we are underlings.”
If you have any questions about Social Media, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.