A rich cache of data on some 533 million Facebook users was posted to a hacker forum over the weekend and is available to download for practically free. The information is from a data breach that occurred in 2019, but hasn't been widely available until now.
The data was posted to an English-speaking cybercriminal forum called RaidForums by a hacker going by the handle TomLiner. "The Facebook data was first listed for sale on RaidForums on June 6, 2020, but the initial sale allegedly asked users for US$30,000 in exchange for the data," explained Ivan Righi, a cyber threat intelligence analyst with Digital Shadows, a San Francisco-based provider of digital risk protection solutions. "TomLiner's post exposed the data for eight forum tokens -- approximately $2.52," he told TechNewsWorld. "The data has been unlocked by close to 3,800 users, generating TomLiner over $9,500." Michael Isbitski, a technical evangelist with Salt Security, a Palo Alto, Calif.-based provider of API security, added that at the time of that incident in 2019, Facebook indicated the data of 220 million users was scraped prior to the company restricting access in the platform to preserve users' privacy.
Virtual Reality Conventions Are A Hit. Among the biggest reasons behind the rising popularity of virtual reality are the tech conventions. These are the venues where people might first learn about virtual reality and where the first time users experience it as well. The others go to not miss out on the latest. Some of the conventions are becoming really popular and ticket prices are skyrocketing. Companies that produce virtual reality headsets are using the conventions to build some hype for their upcoming products for users.
"It's plausible that this is partially the old data set resurfaced and combined with other scraped data sets since the number has now ballooned to 533 million users," he told TechNewsWorld.
Phone Number Flaw
In a statement provided to TechNewsWorld by Facebook, the company said it is confident the posted information is old data that originated from a weakness in its contact importer feature that was discovered and fixed in August 2019.
At that time, it explained, the company removed people's ability to directly find others using their phone number across both Facebook and Instagram -- a function that could be exploited using sophisticated software code to imitate Facebook and provide a phone number to find which users it belonged to.
Using that software, it continued, it had been possible to input multiple phone numbers and, by running an algorithm, connect numbers to specific users.
Facebook never returned a phone number, it explained, the attacker provided the numbers by which to do the matching.
Through this process, it was possible at that time to query user profiles and obtain a limited amount of publicly available information, it added.
Playbook for ID Theft
Although the data may be old, it still has value to hackers, cybersecurity experts told TechNewsWorld.
Admittedly, the data's value has been diminished as a saleable asset, observed Andrew Barratt, managing principal for solutions and investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services.
All generations, whether Generation Z, Millennials or Baby Boomers everyone wants to get their hands-on VR devices and explore the virtual worlds.
"But the data is still a ready-made playbook for identity theft, impersonation, and potential Facebook account take over, which often has more far reaching consequences if Facebook accounts are used to access other sites, or services," he said.
"Look at the number of fitness tracking systems, which log relevant healthcare data that leverage a Facebook login to get in," he added.Righi noted that it is likely that most phone numbers are still active and remain linked to legitimate Facebook users.
"Cybercriminals can use information such as phone numbers, emails and full names to launch targeted social engineering attacks, such as phishing, vishing, or spam," he said. "As most users are still working from home due to the pandemic, these attacks could be effective if personalized to target victims.""Now more than ever it is important to seriously reconsider using phone numbers as logins or sharing phone numbers with apps," added Setu Kulkarni, vice president for strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security.
"Switching phone numbers is inordinately more taxing than switching email IDs," he added.
All Generations Love It. While some critics view virtual reality as something only young people like, it turns out that even previous generations largely approve of the technology. Currently, millennials are the generation most likely to embrace virtual reality, but apparently older generations are also getting on the bandwagon. One study found that a majority of baby boomers have a favorable perspective of virtual reality. A big reason behind the popularity is the versatility of many virtual reality systems.
Exploiting the Pandemic
Being in the middle of a pandemic may also add value to the recycled data from the Facebook breach."Having access to all the data may be a golden nugget for criminals orchestrating large spam or phishing campaigns, many of which have been tailored to pandemic-themes -- stimulus checks, mask politics, geographical restrictions or track and trace scenarios," observed Barratt.
"Whether it's more or less valuable is complex because of the general state of the global economy," he continued.
"It might be harder to scam an individual for a higher amount of money, however it might be possible to scam a larger volume of people for smaller amounts that are 'on trend' from a pandemic perspective," he explained.Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif. added that the global scope of the pandemic can be an asset to scammers armed with data from the Facebook breach.
"Every country is in different stages of grappling with their Covid-19 vaccine rollout, and cybercriminals can absolutely use this data to socially engineer vaccine misinformation," she told TechNewsWorld.
Virtual Reality is expected to reach $34 billion by 2023 according to Markets and Markets and a combined total of $94 Billion including augmented reality by 2023.
"I can already see the targeted phishing email headlines: Get your vaccine today -- new vaccination center near you! Find out which of your neighbors have Covid-19. Choose which vaccine you get with our new app," she described.Daniel Markuson, digital privacy expert with NordVPN, a VPN service provider based in Nicosia, Cypress noted in a statement that his company found that vaccine-related Google searches in the United States grew by 1,900 percent since January. "This shows that Americans are becoming increasingly anxious to get their Covid-19 vaccine and might be an easy target for hackers," he reasoned. Markuson added that in December, Interpol issued an alert to law enforcement across 194 countries, warning them to prepare for crimes revolving around Covid-19 vaccines.
Investigators have also reported vaccine-related activities on the Dark Web, he added.
Highlights From Facebook Connect
No Stranger to Breaches
Over the years, the social network has been the target of a number of headline-grabbing data breaches."Facebook has been hit with data incidents from every angle," observed Paul Bischoff, privacy advocate at Comparitech, a reviews, advice and information website for consumer security products.
"It has left user data sitting on exposed servers, allowed app developers to abuse access to user accounts, and left bugs in code that hackers could exploit to steal data," he told TechNewsWorld.
Virtual I/O created a $1000 pair of virtual reality glasses called “iGlasses” in 1995.
"On top of that, most Facebook profiles are public, which means third parties can scrape them using bots," he said.Data security and privacy was never high in the minds of the Facebook developers when they built the platform, maintained Purandar Das, CEO and cofounder of Sotero, a data protection company in Burlington, Mass.
"On the other hand, the platform was all about monetizing the users' data," he told TechNewsWorld.
"When you design products or platforms that start with no attention to security and privacy," he said, "it becomes very hard to go back and retrofit those capabilities."