Millions of Facebook users’ data published. What now?

Threat Alert

Telephone numbers in particular are affected by the incident, but also e-mail addresses, dates of birth and clear names. The risks for companies and private individuals should not be underestimated. Learn what this means and how to find out if you are affected.

What happened?

At the beginning of April, data of about 533 million users of the social network “Facebook” were published on the Internet. As security researcher Troy Hunt describes on his blog, the primary value of the published data is linking phone numbers to people’s identities. Email addresses were affected much less frequently. Most records included name and gender, and many also included date of birth, place of residence, relationship status and employer. While Facebook indicated on Twitter that the data was from an incident in 2019, other security researchers assume that more recent data is also included.

What does this mean for me?

There are several scenarios of how cyber criminals can use this data. Below we present some of the most likely ones.

Criminals can use the information for spam and phishing campaigns – especially by phone, but also by email. In fact, phishing campaigns over the phone are not uncommon. Under false pretenses, criminals try to obtain sensitive information or access via phone call (vishing) or SMS (smishing). Given the leaked data – which includes date of birth, relationship status and employment information – the messages can be tailored to your exact person or company. This means that in the message, the criminals may pose as your partner or employer, for example, or pretend to send you birthday wishes.

What risks does this pose in a business context?

Your company’s Facebook account (and associated data such as phone number) may be directly affected. Or you may also use the stolen private data in a business context – for example, the private phone in the home office or the personal email address during evening overtime.

Criminals launch targeted and personalized phishing campaigns by phone (calls and SMS) or e-mail. The goal may be to obtain sensitive company data (e.g., login credentials, payment information, business strategies), solicit payments, or gain access to the company’s systems.
Your business email account and phone get lost in spam messages and calls. Relevant messages go undetected or are noticed only after a time delay.
Automated calls make the phone ring briefly. Callbacks lead to cost traps that have to be borne by the company on a business phone.

What risks does this pose in a private context?

Primarily, this data breach will probably entail risks for you as a private individual. These are similar to the business risks:

  • Your private e-mail account and telephone will be lost in spam messages and calls.
  • Criminals launch targeted and personalized phishing campaigns via phone or email to obtain personal data (e.g., passwords, payment information, identity), solicit payments, or gain access to your systems.
  • Automated calls make the phone ring briefly. Callbacks lead to cost traps.

What can I do?

To check whether your data has been published, we recommend that you visit the “Have I Been Pwnd” website, where you can check your phone number and email address. Enter them into a search box and press the “pwnd?” button. The results will appear in English.

If your data has been published, we recommend you to take the following steps:

  • Change the password to your Facebook account.
  • Set up 2FA authentication for your Facebook account.
  • Pay attention to suspicious messages you receive on your phone. These can be messages about order delivery, for example. It is crucial that you do not open any links or files in the messages/emails that you were not expecting. Do not give out sensitive data (e.g. company internals, passwords, etc.) without reassuring yourself. If you are not sure if the sender is genuine, find an alternative way of contacting them and check if they really sent the message.
  • Limit your public information on Facebook.
  • Post only the location information you want to share.
  • Advise your colleagues to follow the same steps.
  • If you have any doubts, feel free to contact Perseus.