Understanding the Data Leak Affecting Facebook Users

The logo of the social network Facebook.

(illustration) -

SOPA Images / SIPA

• Personal data concerning more than 500 million Facebook users, resulting from a security breach dating back to 2019, was posted this weekend on a hacker forum.

• France is one of the countries with the most victims, with 20 million users affected out of 40 million Facebook subscribers in France, or one in two users.

• “It would not be surprising if hackers would exploit the data obtained to carry out targeted phishing campaigns [...].

  It is also likely that cybercriminals will use this information to impersonate the hacked person, ”said Dimitry Galov, security expert at Kaspersky.

Names, e-mails, phone numbers, date of birth ... Resulting from a security breach dating back to 2019, the personal data of more than 500 million Facebook users were uploaded this weekend on a hacker forum.

This gigantic database, which contains a great deal of personal user information, is thus freely accessible on the Internet.

"This file had already been marketed on the Darknet for several months, but it suddenly became accessible to a greater number of malicious people", explains on Twitter Alon Gal, co-founder of the company Hudson Rock, specialist in cybercrime , who gave the alert on Saturday.

In total, 533 million Facebook users - out of 2.7 billion - are affected, all over the world.

France is one of the countries with the most victims, with 20 million people affected out of 40 million having a Facebook account in France.

How do you know if you are one of the affected users?

What are the victims of this data breach at risk?

What to do to protect yourself?

What responsibilities for the social network? 

20 Minutes

takes stock of this unprecedented flaw affecting Facebook, as well as its Instagram subsidiary.

Where does this data breach come from?

To understand where this leak comes from, we have to go back to September 2019. At the time, a cybersecurity specialist had discovered a major flaw in the security of Facebook, more precisely in the function allowing to import his contacts on the platform .

Hackers then took the opportunity to collect, en masse, the data of millions of people.

A hacker - who thus managed to collect some 530 million phone numbers - put this data on sale last January on the Telegram messaging application.

The affair then took on a new dimension, this Saturday, April 3, with the appearance of this entire database, free and open access, on specialized forums.

For Facebook, this data breach is the work of "malicious actors".

These data come from a leak that dates back to 2019 and which "has since been resolved," a Facebook official said in a statement on Wednesday.

For the social network, this data was not obtained via hacking of its systems, so it is not a question of

hacking

, but of

scraping

, a method which consists in looting Facebook profiles via software imitating the functionality of the network that helps members easily find friends, thus retrieving contact lists.

"The data did not include financial, health or passwords", also assured the platform, which says it is "convinced that the specific problem that allowed this data to be recovered in 2019 no longer exists".

What are the risks for the victims?

Stolen data, including emails and phone numbers, expose victims to marketing spam.

But the main risk is having their phone number or email address used for malicious purposes.

“It wouldn't be surprising if hackers would exploit the data obtained to conduct targeted phishing campaigns, where malicious emails appearing to be from a trusted sender, for example from your friend's Facebook email address, would be sent.

It is also likely that cybercriminals will use this information to impersonate the hacked person, who could thus be the victim of identity theft, ”explains Dimitry Galov, security expert at Kaspersky.

How do you know if you are a victim?

Facebook has not yet taken any initiative to prevent victims - despite its obligation to do so under the Personal Data Protection Act (GDPR) - users must turn to specialized sites.

Among them, the Have I Been Pwned? Platform, which allows Internet users to know if their e-mail address is part of a hacked database.

The platform's founder, Troy Hunt, has just updated it to allow Facebook users to check if their phone number was affected by the hack.

You can now search @haveibeenpwned for phone numbers in the Facebook data.

Here's why, and how it works: https://t.co/xUnMTE26Ms

- Troy Hunt (@troyhunt) April 6, 2021

In the search box displayed on the homepage of haveibeenpwned.com, enter your phone number in international format.

For a French number, you must enter +33 followed by your mobile number without the zero (+ 336… or + 337…), and then click on the “pwned?

".

If your number was found in this data breach, the platform displays an alert on a red background.

The site thus recalls the type of information concerned: telephone numbers but also date of birth, e-mail address, employer or marital status, according to the information provided on the Facebook account.

If your number was found in this data breach, the platform displays an alert on a red background indicating the type of information that may be there.

- Screenshot Have I Been Pwned?

How to better protect yourself?

Given the scale of the leak, if you created your Facebook account before 2018, the social network strongly recommends enabling two-step authentication.

“We advise users to perform regular privacy checks […] including who can see certain information on their profile, and enable two-step authentication,” Facebook explains.

"In order to stay safe from hackers who might exploit this data, care should also be taken when receiving e-mails that may seem strange, even if they appear to come from a trusted person." , explains Dimitri Galov.

"We recommend never clicking on links or attachments in emails and always checking for grammar or spelling errors (often a sign that the email is a phishing attempt)", adds the expert. safe at Kaspersky, which nevertheless recalls that "to protect personal information online, the best thing to do is to limit the type of information that is shared on social media platforms".

What responsibilities for Facebook?

"In view of the massive data leakage, Facebook has not necessarily taken all the appropriate and effective measures to guarantee the protection of the personal data of its users," said Alexandre Lazarègue, lawyer specializing in digital law and the area of ​​cybercrime.

Article 34 of the "Informatique et Libertés" law provides for an obligation for any data controller to "take all useful precautions, with regard to the nature of the data and the risks presented by the processing, to preserve data security. ", Explains the lawyer, who also mentions" the obligation of data security prescribed by article 226-17 of the penal code ".

Individuals affected by data leaks can therefore file a complaint, believes Alexandre Lazarègue.

“It will therefore be up to Facebook to provide proof of the sufficiency and effectiveness of the security measures it has taken”.

The CNIL may also initiate a procedure, and in particular ask the publisher of the site which publishes these data, then the host thereof, to remove this file or to make the database in question or the site inaccessible. 'hosting.

High-Tech

Facebook Examines Potential Massive Data Leak

By the Web

Facebook: Data from 500 million accounts uploaded

• By the Web

• Internet users

• Social networks

• Private life

• Leak

• Cybersecurity

• Cyber ​​attack

• Piracy

• Personal data

• Facebook