By BECKY RUTHERFORD
In the news lately, Facebook is dealing with yet another data breach. Oof, so who hasn’t been breached recently? It’s easy to brush this off as just another data breach (so many lately, it’s hard to keep track of), but it’s not that simple, according to cybersecurity experts.
First off, this breach is massive at about half a billion Facebook users, from 106 different countries. What sort of data was breached? Full names, birthdays, phone numbers, location, and your Facebook Passwords were not affected by this breach, which is always a plus, but it’s still pretty bad.
When did this happen? There’s some confusion … According to Facebook, this is an old breach from 2019. The company said that they previously reported this breach and patched the underlying vulnerability already. According to multiple news sources, including Wired, the data first appeared on the dark web in 2019 but came from a breach that Facebook did not disclose at the time and only fully acknowledged this week.
Facebook has had numerous breaches, which has led to some confusion on this. The actual breach may be one that occurred in 2019 but wasn’t disclosed until now. The leaked data is likely the result of a vulnerability with their contact importer feature, a bug that was subsequently patched.
Facebook’s lack of timely response on this matter has only added to the confusion. Keep in mind that massive datasets like this are commonly sold on criminal forums, and often the datasets are mashed together. So rather than data from just one breach, you might be dealing with data aggregated from multiple breaches, which only adds to the confusion here.
Why does this matter? Attackers can use data from breaches like this to gain access to your sensitive information, frequently via targeted phishing attacks. They could also potentially use this information in combination with existing user data online to gain access to other accounts. You may also notice an increase in spam and scam calls. Anyone else want to talk about their car’s extended warranty? Again? And again … forever … Data breaches like this are an absolute treasure trove for attackers.
What can you do? You can check to see if you were affected by this breach at the third-party website https://haveibeenpwned.com/, which makes it simple to check. Just input your email, and it will check to see if your email address was affected. If your email is among those affected, there’s not much you can do other than be aware and be cautious with unsolicited emails, phone calls, social media messaging, and text messages. If something seems suspicious or too good to be true, it probably is. Don’t click the link, and never give out personal or sensitive information to anyone via an unsolicited phone call, text message, or email.
Having an online presence is great, but keep in mind it opens you to numerous risks from online criminals. Be aware that your information has likely already been breached, and use caution in all online activities.
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.