In the past week, 533 million Facebook profiles’ have reportedly leaked to hacker forums. The data leak included the victim’s Facebook id, name, gender, and even their mobile phone number. Facebook disclosed that the hacker did not penetrate their security, but rather attributed the data leak to web scraping. They predict that the infiltrator must have had a master list of phone numbers. Then, the hacker must have used the contact import feature to show which of those phone numbers linked to user profiles. Finally, the culprit scraped the resulting data and leaked it online.
Facebook originally intended the contact import feature to help new users find friends from their contact list. They did not expect, however, for malicious actors to use it to gain private information. Fortunately, the feature no longer has the vulnerability, and so infiltrators can no longer use it maliciously.
In a statement from Facebook, they claimed, “Scraping data using features meant to help people violates our terms”. The public met this response with criticism towards the tech giant for using scraping as a scapegoat for the leak. It’s also believed that Facebook tried to save face by saying the hacker simply violated terms and conditions. Experts hold Facebook accountable knowing well that it should not expect hackers to comply with terms and services. One such security expert, John Opdenakker, an infosec blogger, responded with this tweet. The tweet mocks Facebook’s response: “Thou shalt not scrape data from Facebook, thou naughty attacker! This post is just pathetic”.
How to stay safe
Despite the large breach, Facebook users can use tools to verify whether their data belonged to the leak. There are two websites out right now that allow users to find out if the data breach has impacted them, Have I been Zucked? and Have I been Pwned.