Over the weekend, Alon Gal, the CTO at Hudson Rock & running Under The Breach reveled that details from a 2019 Facebook hack have now been leaked online for free. At the time the hack occurred, it was concerning that the massive dataset of more than 533,00,000 Facebook users were posted for sale, but opening that up to the world to consume means this info is now publicly available.
More than 7.3 million Australians have had their details leaked, as part of this databreach that was possible through a security vulnerability that has since been patched.
So now for the details. Included in the data is:
- Facebook ID
- Full name
- Phone number
- Location
- Past Location
- Date of Birth
- Email Address (subset)
- Account Creation Date
- Relationship Status
- Bio.
While there’s no credit card details or passwords included in this data, If you’re impacted, you should be aware that bad actors will likely use the data leaked against you. We should expect that social engineering attacks, spam and in the worst cast used to power identity theft.
Unfortunately there really isn’t anyway to have your data removed from the list, there are now multiple copies circulating. It’s not possible to change details like your date of birth and not easy to change your name, email address or phone number.
Any service like banks or credit agencies should have strict evidence requirements to create accounts, like supplying 100 points of ID, requiring the sighting of original drivers licenses, passports and medicare cards.
While not related to this attack, many of those friends that claim they’ve had their ‘Facebook hacked’, are really just victims of a basic brute force attack of a weak password. This serves as a timely reminder that protecting your account is best done using multiple factor authentication (MFA) and a strong password (longer is better).
Once setup, a notification will be sent you you via an SMS, or notification from an Authenticator app, which ensures the person signing in has access to something you have (your phone) as well as something you know (your username and password). You will be prompted for an MFA approval when signing in from a new browser or device. While slightly less convenient, it goes a long way to securing your accounts online, so please enable it not just for Facebook, but for any service that offers it.
More info on MFA setup is available here and you can download Microsoft Authenticator or Google Authenticator apps here.