Facebook downplays 'old' breach exposing info on 533 million users

Facebook is downplaying the significance of a data breach that saw the personal information of 533 million of its users accessed online, saying the information is old and the vulnerability that was exploited was closed almost two years ago.

Over the weekend, Business Insider reported that personalinformation ofFacebook users in 106 countries was found on a low-level hacking forum, free of charge. Cybercrime intelligence firm Hudson Rock calculated that almost 3.5 million Canadians were included.

Information includednames, phone numbers, locations, birth dates,email addresses and other identifying details. No financial or payment information was accessed, Facebook said.

In a statement on its website Tuesday the social media giant said the information was gathered via a vulnerability the company fixed almost two years ago, and disputed that it was a hack.

Datascraped, not hacked: Facebook

"It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019," saidproduct management directorMike Clark.

Scraping refers to the act of gathering information that is already out there but somewhat hidden on public databases.

The company saidwhoever collected and assembled the data did so by abusing the contact importing service, which allows users to find other people in their network on Facebook.

Facebook said whoever did it seems to have uploaded a large set of phone numbers to see which ones matched Facebook users.

David Masson, director of enterprise security at cybersecurity firm Darktrace, says the information has likely been out there and spread widely for a while, before being outed recently.

"It's been on the Web for quite a while, probably for sale to people," he said. "But now somebody's just offered it up for free."

Building a profile

Greg Wolfond, CEO of data security firm SecureKey, said that in a vacuum, much of the information taken can seem innocuous and harmless, but when taken together can be very dangerous.

"What the hackers do is they try and get little bits of data about you in this case something like your phone number," he told CBC News in an interview. They can then combine that with other bits of information an address, a full name and start building a profile.

What's most dangerous is once they have gathered enough to attempt to gain access to a cellphone account. With the right combination of information, a telecom company may allow someone walking in to port the account number to a new phone.

"They take over your phone, and within minutes of taking over your phone, they're trying to get into your bank account,to get into your Facebook account, your Google account, whatever you use that phone asyour recovery for," he said.

Typically, consumers are urged to fight data theft by doing things like changing passwords frequently, and making them complex. But those things are of little use when companies claim the right to reams of data about their users, and promise to keep it safe.

"Empowering individuals to share their data and putting a responsibility on parties that have the data to keep it secure,
is super important," he said.

NotFacebook'sfirst user-info incident

The breach is far from the company'sfirst misstep with user information.

In 2018, the social media giant disabled a feature that allowed users to search for one another via phone number following revelations that the political firm Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or consent.

In December 2019, aUkrainian security researcher reported finding a databasewith the names, phone numbers and unique user IDs of more than 267 million Facebook users nearly all U.S.-based on the open internet.

LISTEN | Protecting your data while working remotely:

Spark15:32Digital security expert shares tips on how to protect your data while working remotely

During the COVID-19 pandemic, we are spending more of our time at home online than ever before - and according to Citizen Lab's John Scott-Railton, this makes us vulnerable to privacy and security threats.

Facebook says it will continue to aggressively go after "malicious actors who misuse our tools." It touted itsdedicated team focused on this work,butMasson says users shouldn't make the mistake of assuming that the company's size and scope somehow make it better equipped to keep user data safe.

"It doesn't matter how big or sophisticated you are, they can be attacked," he said.

Like many breaches, this one was only discovered long after the fact, and that's because the technology companies use isn't keeping up with the ones the hackers are using.

"There are better technologies that actually work on what happens once the bad guys get inside your network rather than when they're banging on the door outside. So people [have] got to realize this will happen again.