Telephone numbers in particular are affected by the incident, but also e-mail addresses, dates of birth and real names. The risks for companies and private individuals should not be underestimated. Learn what this means and how to find out if you’ve been affected.
What happened?
At the beginning of April, data from about 533 million users of the social network “Facebook” were published on the Internet. As security researcher Troy Hunt describes on his blog, the primary value of the published data is the connection of phone numbers to the identity of people. Email addresses were affected much less frequently. Most of the data records contained names and gender, many also included date of birth, place of residence, relationship status and employer. While Facebook points out on Twitter that this is data from an incident in 2019 , other security researchers assume that more recent data is also included.
What does this mean for me?
There are several scenarios in which cybercriminals can use this data. Below we present some of the most likely ones.
Criminals can use the information for spam and phishing campaigns – especially by phone, but also by email. In fact, phishing campaigns over the phone are not uncommon. Under false pretenses, the criminals try to obtain sensitive information or access by phone call (vishing) or SMS (smishing). Considering the leaked data — which includes date of birth, relationship status, and employment information — the messages may be accurate to you or you. tailored to your business. This means that in the message, the criminals will pretend to be your partner or employer, for example, or pretend to send you birthday wishes.
What risks does this pose in a business context?
Your company’s Facebook account (and associated data such as phone number) may be directly affected. Or you can also use the stolen private data in a business environment – for example, the private telephone in the home office or the personal e-mail address during evening overtime.
Criminals launch targeted and personalized phishing campaigns by phone (calls and SMS) or email. The aim may be to obtain sensitive company data (e.g. access data, payment information, business strategies), to obtain payments or to gain access to the company’s systems.
Your work email account and phone get lost in spam messages and calls. Relevant messages remain undetected or are only noticed with a time delay.
Automated calls make the phone ring briefly. Callbacks lead to cost traps that have to be borne by the company in the case of a business phone.
What risks does this pose in a private context?
Primarily, this data breach will probably entail risks for you as a private individual. These are similar to business risks:
What can I do?
To check if your data has been published, we recommend that you visit the “Have I Been Pwnd” website, where you can check your phone number and email address. Type it into a search box and press the “pwnd?” button. The results are published in English.
If your data has been published, we recommend that you take the following steps:
