A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. In total 267,140,436 records were exposed. Each contained:
- A unique Facebook ID
- A phone number
- A full name
- A timestamp
The server included a landing page with a login dashboard and welcome note. Facebook IDs are unique, public numbers associated with specific accounts, which can be used to discern an account’s username and other profile info. The full report can be found here: https://www.comparitech.com/blog/information-security/267-million-phone-numbers-exposed-online/
Commenting on this, Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre), said “Another day, another unsecured database found on the internet. With this database containing Facebook related data, its obvious to ask what role Facebook might have played in this activity. In this case, we can look to two specific areas; the Facebook API and the public settings of Facebook accounts. In both cases, the scope of data available to third parties has varied over time. This varied access model illustrates a key lesson for anyone implementing an API – build a threat model which includes malicious use of the data available from the API. In effect, if there is interesting data to be had via an API, then anyone interested in that data will eventually discover the API and either use or misuse it. In other words – Given access to any data, people will find a way to use, and potentially misuse it.
This same paradigm applies to public settings like those used within Facebook – but with a twist. Where an API is targeted at developers who have security training, properly securing public settings historically has expected the end user to set them properly. In other words, companies have expected lay users to understand the privacy implications of whatever settings they provided. This is an unrealistic expectation given that the lay user has no mechanism or experience to vet the security practices of any business. They place their trust in that business to “do the right thing” with their data. Which means that any threat model around access to user data needs to incorporate what the potential reputational damage to the business might be if the default access controls are set incorrectly.”
Irfahn Khimji, country manager for Canada at Tripwire Inc, added “It is important for anyone using the internet to remember that anything posted online, once posted, can potentially be seen by anyone. As we have seen in recent data breaches everything from phone numbers to health records have been made public. Practicing due care and ensuring that only information one is comfortable with being made public should be freely posted on social media sites.”
Jonathan Devaux, head of enterprise data protection at comforte AG, concluded “It seems FB is in the news every month with a cybersecurity issue. The term “too big to fail” may not apply to Facebook, but they do seem to be failing at data security, left and right. Even though the California Consumer Privacy Act (CCPA) is not finalized, when it does become enforceable in early 2020, it is possible that Facebook users (and ex-users) will exercise their Rights under CCPA, which could force FB to take a more serious approach to improve their security posture.”
(10)
Article Link: http://digitalforensicsmagazine.com/blogs/?p=2936