At the beginning of April, 533 million users of the social network “Facebook” have been exposed in a data breach. As the security researcher, Troy Hunt informed, the primary value of the data is the association of phone numbers to identities. Way less contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer. While Facebook indicates on Twitter that the data is from an incident in 2019, other security researchers assume that more recent data is also included.
What does it mean for me?
There are multiple scenarios on how cyber criminals may use those data. We present some of the most likely ones below.
Criminals can use the information for spam and phishing campaigns - especially by phone, but also by email. In fact, phishing campaigns via the telephone are not uncommon. Under false pretences, the criminals try to obtain sensitive information or access via phone call (vishing) or SMS (smishing). Considering the leaked data, that include date of birth, relationship status and employment information, the messages may be well tailored. That means for example, that the message may impersonate your partner, employer or pretend to be birthday wishes.
What risks does this pose in a business context?
Your company's Facebook account (and related data such as telephone number) may be directly affected. Or you may also use the stolen private data in a business context - for example, the private phone in the home office or the personal email address during evening overtime.
- Criminals launch targeted and personalised phishing campaigns by phone (calls and SMS) or email. The aim can be to obtain sensitive company data (e.g. access data, payment information, business strategies), to obtain payments or to gain access to the company's systems.
- Your business email account and phone are drowned in spam messages and calls. Relevant messages go unnoticed or are noticed only after a time delay.
- Automated calls make the phone ring briefly. Callbacks lead to cost traps which, in the case of a business telephone, have to be borne by the company.
What risks does this pose in a private context?
Primarily, this data breach will probably entail risks for you as a private person. These are similar to the business risks:
- Your private email account and your telephone will be lost in spam messages and calls.
- Criminals launch targeted and personalised phishing campaigns by phone or email to obtain personal data (e.g. passwords, payment information, identity), obtain payments or gain access to your systems.
- Automated calls make the phone ring briefly. Callbacks lead to cost traps.
What should I do?
To verify whether your details were leaked, we recommend visiting the website Have I Been Pwnd, where you may verify your phone number and email address. Type them in a search box and press the search button.
If your details were leaked, we strongly recommend the following steps:
- Change password to your Facebook account.
- Set a 2FA authentication for your account.
- Be aware of the suspicious messages received to your phone. Those might be for example an order delivery message. Crucial is that you do not open any links or files in the messages/emails that you were not expecting. If you are unsure if the sender is genuine, find an alternative way of contacting them and check, whether they really sent the message.
- Limit your public information on Facebook.
- Manage your location settings only to those that you want to share.
- Advise your colleagues to conduct the same steps.
If you have any doubts, please contact Perseus.