CyberManDan

Security Advice & Blog

Well, in case you haven’t heard, recently over 500million Facebook user’s personal information was available for free on a hackers forum. There are plenty of lengthy articles online about the breach, but I’m purposely making this short(er) than others, just getting to the main facts of the matter, helping you understand what has happened, how it happened, what it means to you, and how to better protect yourself on Social Media.

So, let’s start with some basic facts…
– 533,313,128 accounts ‘breached’
– Details could include: Name, Date of Birth, Occupation, Phone Number, Email Address, Gender, Location, Relationship Status.
– Information has been made available for under $3 (being referred to as ‘free’ by many due to the low cost)

What Happened?
This has been referred to as information ‘scraping’ rather than an actual breach of security.

Facebook has a ‘feature’ where, when signing up for an account, you can allow Facebook access to your address book/contacts list, and it will help you find friends that have registered their phone numbers with their account, by matching them against your existing contacts.

What has apparently happened, is that an address book was created with A LOT of phone numbers in (some articles claim every phone number in the world – I think that’s a bit of an exaggeration). Then they’ve tried to match all of those phone numbers against users on Facebook. Then, depending on what information your make publicly visible on your profile, will depend on what information can be seen, and what has been gathered.

This is where the term ‘scraped’ has come from. No hacking was actually done of Facebook’s information, but instead information was scraped by using a loophole in a feature of theirs.

Facebook are blaming us – the users!
Is this fair of them? Why are we getting the blame and not Facebook?

Facebook chose NOT to report this as a breach under GDPR as they don’t consider it a breach of personal information, however the DPC (Data Protection Commissioner) is investigating the incident.

Well, as I mentioned above, the (so called) hackers have gathered information that WE make publicly visible from our Facebook profile. So, if a potential friend looks you up on Facebook, and you’re showing name, email address, occupation, etc. etc. then these hackers have been able to get them.

It is, however, a question for debate as to how much responsibility Facebook should take in the matter. Although it is 100% in our control what information is made publicly visible, it is a misuse of a Facebook feature that has led to this. Facebook are claiming that this was the breach that happened in 2019, which they have acknowledged and have ‘fixed’ this loophole in their address book feature. However, surely the possibility is still there, albeit on a much smaller scale… eg. I could start a new Facebook account with my 100 phone contacts, and try and find those friends. It would take me a very long time to gather the information of 500million people for sure, but technically still potentially possible.

What can WE do?
So Facebook are playing down the breach, saying it’s not their fault but up to us. So how do WE take responsibility?

Firstly, only put information on Facebook that you don’t mind people seeing.
Remember, not everyone takes security seriously, and people’s Facebook accounts are getting hacked regularly. If your information is only available to your friends, and one of those gets hacked, your information is now available to a hacker.

Secondly, hide as much information as you can/want to from being publicly visible. Go to your Facebook settings and ‘Privacy’. Check through your current settings, and change what you want to change. I’m not going to tell you what you should or shouldn’t make publicly visible, that’s up to you, but you should be aware of what is, and then you can make that decision.

Thirdly, periodically go through your profile, your photos etc. and decide if you still want them there? Our views, opinions, life etc. changes over time. Some embarrassing drunk photos from 7 years ago might not be something you want to exist on there anymore, or holiday snaps with an ex-partner etc.

 

Was my data included?
Probably one of the biggest questions on your mind, was my data part of this.

There’s a great website that I often link to called ‘Have I Been Pwned’. I’ll write another article on what this website does, why it’s safe, and how it can help you. But for now, feel free to visit the website, enter your email address and/or phone number, and see if your information was included in the breach. You can’t do anything about the breach happening, or your data being available online, but you take extra care and be vigilant for any scam emails/texts/phone calls that might come your way as a result.