fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Facebook Attributes 533 Million Users’ Data Leak To “Scraping” Not Hacking

Facebook Attributes 533 Million Users’ Data Leak To “Scraping” Not Hacking

Facebook has now released a public statement clarifying the cause of and addressing some of the concerns related to the recent data leak.

As reported last week, information of about 533 million Facebook profiles surfaced on a hacker forum.

From the Facebook data samples seen by BleepingComputer, almost every user record had a mobile phone number, a Facebook ID, a name, and the member’s gender associated with it.

The company states that the information exposed was not obtained from the hacking of an unsecured system but rather scraped from public profiles, prior to September 2019.

Data leak attributed to web scraping

Facebook has shed some light on the recent data leak comprising 533 million Facebook user profiles, data from which was posted on a hacker forum last week.

In a public statement released a few hours ago, the company states that the leak resulted from bulk scraping of profiles using a large set of phone numbers linked to these profiles, rather than from hacking of the platform:

“This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.”

“As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” said Mike Clark, Product Management Director at Facebook in a statement.

Soon enough, after reports of data leak emerged, an EU data regulator, the Data Protection Commission (DPC) of Ireland began investigating the incident.

When details on this data leak had initially disclosed, a Facebook’s spokesperson was quick to declare this as old news related to an issue the company had already remedied:

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

Facebook believes that malicious actors had scraped the leaked data in question from people’s Facebook profiles by abusing the “contact importer” feature back in September 2019.

“This feature was designed to help people easily find their friends to connect with on our services using their contact lists.”

“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer… to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users,” said the company.

Prior to these changes having been implemented, Facebook’s endpoints could be queried by anyone to obtain a limited set of public data from user profiles.

But, this information did not include financial information, health information, or passwords, the company has clarified.

Not all experts happy with the response

While Facebook attributes this data leak to web scraping, this usually involves collecting public information from websites.

In this case, attackers used a weakness in the Facebook ‘Contact Importer’ feature to mass query private phone numbers and then scrape associated public information that was returned by the tool.

This allowed the threat actors to create a massive list of Facebook users, including their phone numbers and scraped public information, by mass querying phone numbers over and over.

Facebook’s scapegoating of the data leak to web scraping has not sat well with everyone in the security community.

Infosec blogger John Opdenakker called the company’s response “pathetic.”

Security expert Troy Hunt, who is also the creator of Have I Been Pwned, also expressed his thoughts on the matter:

Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who had first brought the data leak to light referred to the incident itself as an “absolute negligence” of the users’ data.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

Facebook users can search data breach monitoring services like Have I Been Zucked? and Have I Been Pwned stepped up by their Facebook email address or linked phone number to find out if their data was impacted by this leak.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us