The most disappointing thing was to circulate the profile names, email addresses, and phone numbers of over 500 million Facebook users publicly online for nearly a week. Facebook finally acknowledged the root cause but took time to acknowledge the mistake. The company said that the issue has been fixed in 2019. But now researchers are saying Facebook knew about similar vulnerabilities for years before that, and it could have made a far greater effort to prevent the mass scraping in the first place.
People need to be aware that it’s not just Facebook. There are other platforms too, which can surely be taking advantage of the user’s privacy.Facebook has a history of such events with its pocket.In 2012, Facebook made changes that resulted in the site’s “Download Your Information” tool leaking phone numbers and email addresses that users had not supplied themselves through the contact import feature. There were researchers who disclosed the issue to Facebook in 2013; in 2018, the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland investigated the finding.
The Office found that FB did not have appropriate safeguards in place prior to the breach in order to protect the personal information of users and non-users. Researchers in 2017 relate much more directly to the methods the attackers used to scrape the recent, massive data set. They have discovered that it is relatively simple to reveal private phone numbers on Facebook, revealing some of the phone numbers of Belgian celebrities and politicians. Researchers had found a manual and somewhat limited, but still effective, way to enumerate phone numbers and extract their corresponding user information from Facebook through the contact import feature. There are many findings submitted to Facebook’s bug bounty program.
When you sign up to Facebook, you must have observed that Facebook lets you set your phone number and email address as visible to “Only me.” But it also has an entirely separate setting, called “Who can look me up,” that dictates whether someone can find you on Facebook using your phone number or email address through the contact import tool. Even if your phone number is set to “Only me” on your profile, it could still be set to “Everyone” under “Who can look me up.” In that case, if someone guessed your phone number, they would be able to link it to your other public Facebook information.
Facebook decided not to notify over 530 million of its users whose personal data was lifted in a breach and was recently made available in a public database, giving the reason that the company does not have exact information about which users would need to be notified and there is no use in notifying as it was not an issue that users could fix themselves. They also added that there was no need to worry as the information did not include financial information, health information or passwords.
These kinds of responses by Facebook got different reactions from the users, as they counter the portal with the fact that scammers can make an enormous loss with little information from the portal. It’s a serious issue as phone numbers are a universal identifier for users and are increasingly used to connect people to their digital presence, including the use of two-factor authentication via text message and phone calls to verify one’s identity.
After this leak was revealed, every user was keen to know whether their data had been leaked or not. Well, there’s no easy way to determine if your details were breached in the leak. If the website concerned is acting in your best interest, you should at least receive a notification. But this isn’t guaranteed.Even a tech-savvy user would not be able to find out the leaked data themselves on underground websites.
The data being shared or leaked online contains plenty of key information. Most of the records include names and genders, including dates of birth, location, relationship status, etc.The good thing is that only a small proportion of users use a valid email address on social portals.
Still, you always need to be careful while sharing your personal information on any portal as you confirm your identity over the phone with your bank, use that to reset important passwords etc.
There are several ways in which you can safeguard yourself from such a leak of your personal data. There is a little information which we have to forfeit in exchange for using Facebook, including mobile numbers for new accounts. But there are plenty of details you can avoid sharing to retain a modicum of control over your data.
You also need to understand that, apart from the leak being reported, there are plenty of other ways your data can be taken from Facebook. If very cunningly you have used a fake birth date on your account, then you should also avoid posting birthday photos on the real day. Even our innocent movements can reveal sensitive information.
There will be many interesting links shared by your friends that say “sign-in with Facebook,” which is basically a time-saving feature, but it also increases your risk—especially if the site you’re signing into isn’t a trusted one.If your Facebook account is compromised, the attacker will have automatic access to all the linked websites.
Try to always create a different password for each and every online account, even if it seems to be a hassle. You can install a password manager to organise the same and it will help manage all the passwords you have. It cannot, however, guarantee that your data will never be stolen, but it can reduce the risk.
The purpose of this write-up is actually not to scare you all, but to make you people a little more aware of the need to be vigilant while using any portal online. In todays world, everything whether work or personal life is connected to those social portals and it is difficult to avoid them. So, the best way is to find out the best ways to avoid such leaks.
