- Personal data concerning more than 500 million Facebook users, resulting from a security breach dating back to 2019, was posted this weekend on a hacker forum.
- France is one of the countries with the most victims, with 20 million users affected out of 40 million Facebook subscribers in France, or one in two users.
- “It would not be surprising if hackers would exploit the data obtained to carry out targeted phishing campaigns. […]. It is also likely that cybercriminals will use this information to impersonate the hacked person, ”said Dimitry Galov, security expert at Kaspersky.
Names, e-mails, phone numbers, date of birth … Resulting from a security breach dating back to 2019, the personal data of more than 500 million Facebook users were uploaded this weekend on a hacker forum. This gigantic database, which contains a great deal of personal user information, is thus freely accessible on the Internet. “This file had already been marketed on the Darknet for several months, but it suddenly became accessible to a greater number of malicious people”, explains on Twitter
Alon Gal, Hudson Rock Company Co-Founder, specialist in cybercrime, who gave the alert on Saturday.
In total, 533 million Facebook users – out of 2.7 billion – are affected, all over the world. France is one of the countries with the most victims, with 20 million people affected out of 40 million having a Facebook account in France. How do you know if you are one of the affected users? What are the victims of this data breach at risk? What to do to protect yourself? What responsibilities for the social network? 20 minutes takes stock of this unprecedented flaw affecting Facebook, as well as its Instagram subsidiary.
Where does this data breach come from?
To understand where this leak comes from, we must go back to September 2019. At the time, a cybersecurity specialist had discovered a major flaw in the security of Facebook, more precisely in the function allowing to import his contacts on the platform . Hackers then took the opportunity to collect, en masse, the data of millions of people. A hacker – who thus managed to collect some 530 million phone numbers – put this data on sale last January on the Telegram messaging application. The affair then took on a new dimension, this Saturday, April 3, with the appearance of the entirety of this database, free and open access, on specialized forums.
For Facebook, this data breach is the work of “malicious actors”. These data come from a leak that dates back to 2019 and which “has since been resolved,” a Facebook official said in a statement on Wednesday. For the social network, this data was not obtained through a hack of its systems, so it is not a question of hacking, but of scraping, a method of looting Facebook profiles through software mimicking network functionality that helps members easily find friends, thereby recovering contact lists. “The data did not include financial, health or passwords”, also assured the platform, which says it is “convinced that the specific problem that made it possible to recover this data in 2019 no longer exists”.
What are the risks for the victims?
Stolen data, including emails and phone numbers, expose victims to marketing spam. But the main risk is having their phone number or email address used for malicious purposes. “It wouldn’t be surprising if hackers would exploit the data obtained to conduct targeted phishing campaigns, where malicious emails appearing to be from a trusted sender, for example from your friend’s Facebook email address, would be sent. It is also likely that cybercriminals will use this information to impersonate the hacked person, who could thus be the victim of identity theft, ”explains Dimitry Galov, security expert at Kaspersky.
How do you know if you are a victim?
Facebook has not yet taken any initiative to prevent victims – despite its obligation to do so under the Personal Data Protection Act (GDPR) – users must turn to specialized sites. Among them, the platform
Have I Been Pwned?, which lets Internet users know if their email address is part of a hacked database. The founder of this platform, Troy Hunt, has just updated it to allow Facebook users to check if their phone number was affected by the hack.
– Troy Hunt (@troyhunt) April 6, 2021
In the search field displayed on the home page of haveibeenpwned.com, enter your phone number in international format. For a French number, you must enter +33 followed by your mobile number without the zero (+ 336… or + 337…), and then click on the “pwned? “. If your number was found in this data breach, the platform displays an alert on a red background. The site thus recalls the type of information concerned: telephone numbers but also date of birth, e-mail address, employer or marital status, according to the information provided on the Facebook account.
How to better protect yourself?
Given the scale of the leak, if you created your Facebook account before 2018, the social network strongly recommends enabling two-step authentication. “We advise users to carry out regular privacy checks […] including who can see certain information on their profile, and activate two-step authentication, ”says Facebook.
“In order to stay safe from hackers who might exploit this data, care should also be taken when receiving e-mails which may appear strange, even if they appear to come from a trusted person.” , explains Dimitri Galov. “We recommend never clicking on links or attachments in emails and always checking for grammar or spelling errors (often a sign that the email is a phishing attempt)”, adds the expert. safe at Kaspersky, which nevertheless recalls that “to protect personal information online, the best thing to do is to limit the type of information that is shared on social media platforms”.
What responsibilities for Facebook?
“In view of the massive data leak, Facebook has not necessarily taken all the appropriate and effective measures to guarantee the protection of the personal data of its users,” said Alexandre Lazarègue, lawyer specializing in digital law and the area of cybercrime. Article 34 of
the law “information technology and freedoms” provides for an obligation, for any data controller, to “take all necessary precautions, with regard to the nature of the data and the risks presented by the processing, to preserve data security”, explains the lawyer, who also mentions “l ‘data security obligation prescribed by article 226-17 of the penal code ”.
Individuals affected by data leaks can therefore file a complaint, believes Alexandre Lazarègue. “It will therefore be up to Facebook to provide proof of the sufficiency and effectiveness of the security measures it has taken”. The Cnil can also engage
a procedure, and in particular ask the publisher of the site which publishes these data, then its host, to remove this file or to make the database in question or the site hosting it inaccessible.