Back in 2019, the Facebook data of around 500 million users was breached. That may sound like a lot, and is certainly nothing to scuffle at, but it actually isn't even in the top 15 largest breaches of all time. Nonetheless, just recently, that data was leaked to the public and is currently circling around the internet. To give you an idea, the types of data breached and leaked include things such as: profile names, Facebook ID numbers, email addresses, and phone numbers. That is, according to WIRED's article by Lily Hay Newman on the matter. Of course, as a side note, you can check to see if your data was leaked on HaveIBeenPwned. That will allow you to see if your phone number or email was exposed throughout the hack (and others).
So what does this Facebook data leak mean in the macro sense? Well, unfortunately, unless you are someone who never uses the internet, it is quite likely you have had to put some of your sensitive information out there and that information will always remain, at least broadly, vulnerable to a data breach. In this case, and according the article, the data was vulnerable to attack due to a bug in Instagram's ability to import contacts. Some might think that this is Facebook's fault outright and was possibly a result of poor coding choices, and or data management, but it is far too complicated to tell. One shouldn't place blame completely on Facebook as things like this will happen from time to time, as unfortunate as they may be. After all, computers are only as good as the humans who use them, so human error is inevitable. In fact, it Facebook did make it clear that it did not expose this data intentionally, but it was scraped from their backend.
Although, where Facebook could have done better was in acknowledgment of the breach, back when it happened, and or when the data was leaked recently. For example, the article mentions that The Irish Data Protection Commission said in a statement on Tuesday that it “received no proactive communication from Facebook" regarding the breach. This isn't best practice in my opinion, but perhaps there was good reason for not being so clear on the matter.
So, back to the central question of this post: now what? What should you, as perhaps a Facebook user do now? The first thing you can do is check the website mentioned above to see if your data was leaked. After that, there is not much to do other than to be keep an eye out for spam emails, phone calls, and other malicious activity.
It is a terrible day when data is breached, but this isn't going anywhere, and cybersecurity experts are in a constant battle. I think that if companies like Facebook keep coming up with new and innovative ways to encrypt data, it is possible to stop these types of attacks, but they will probably never go away all together.
Source: https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/
After reading your blog post, I decided to look into how data breaches occur, and some of the steps you can take to prevent them. I did some research, and found that it’s not always hackers that cause them. They are oftentimes unintentional, and could be a result of a minor error in coding, like you mentioned. They can also be caused by weaknesses or gaps in the organization’s infrastructure.
ReplyDeleteData breaches also aren’t always defined as data leaking out into the world for everyone to see. A different example of a data breach is when an employee is using another employee’s laptop or system and is able to see their documents without having the necessary permissions. In this case, the data is not being shared or leaked per say, but someone would be reading or viewing files that they were not authorized to read or view. I personally did not know that this was considered a breach, so I found this pretty interesting.
Then there is of course the typical example of an outside hacker. This happens when someone gets into a company’s databases and intentionally spreads the confidential data to the public for the purpose of damaging the organization. This type of data breach is probably the most common, or widely known. Usually, a hacker will find a hole or gap in the company’s firewall and use it as a way in. I know that some companies even pay professional hackers to try to break into their firewall to try to find holes or gaps, so that they can strengthen their security. This can also be known as penetration testing. Pen test results are highly confidential to a company, because they basically give you the keys to break in.
Some common methods that hackers use to commit cyberattacks include phishing and malware. Phishing happens all the time, to every one of us. I for one receive suspicious looking links within emails and phone calls from unknown numbers all the time. Phishing is where a hacker will try to trick you into leaking your own confidential data through ways that I just mentioned, like sending links or calling you asking for sensitive information.
Malware, like I described above, is when a hacker finds a vulnerability in your security and uses it as a way to breach your data. A common vulnerability is when your credentials have been shared or stolen, or just aren’t strong enough. You should never share or reuse passwords for this reason.
There is also the unfortunate situation where a person or employee may lose their device, and failed to encrypt their information containing confidential data. This makes it very easy for a hacker or any individual really to access and leak the contents of the device.
Erik, I really enjoyed reading your blog, as the issue of data breaches are clearly one of the most talked about and pressing issues of the 21st century. I remember when this news story broke that nearly 500 million peoples data had been compromised as a result of "a bad code." I remember watching the news when this story broke and wondering to myself "how in the world could Facebook write a code that would allow 500 million data points to be leaked." I understand now from your article and from some quick research that it was intact a little more complicated than that.
ReplyDeleteFacebook's official statement regarding the break stated "This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers." Facebook was basically contesting that the reason their data was leaked was because the software had not been updated just yet. According to the Guardian Report "Facebook is trying to play down the impact of this security and privacy mess by claiming that the actual number of users whose information was exposed was approximately 210m because the 419m records contained duplicates." This quote is every interesting to me and goes along with what you said regarding that Facebook did not actively try and reach out proactively to the Data Protection Committee.
To me it seems that Facebook did obviously not intentionally or knowingly leak the data. However, they did not do a great job of informing people clearly of the mistake that they made. They even tried to downplay how much data was leaked. The question has to be asked if this happens again, to any company, how will they handle it?
Erik, I found your topic to be extremely interesting and relevant to people of our age especially who use social media at the speed our generation and the younger generation tend to use it. When you think of breaching or also a form of hacking, social media is typically the first thing that comes to mind whether is be Instagram, Snapchat, Email, FaceBook, Twitter, etc. Unfortunately, these social media apps are constantly getting broken into without the users control. The only way to truly slow down the number of breaches is to constantly change your password or to keep an eye on it through the website HavelBeenPwned which you stated in your blog. It is also crazy to think that this happened because of "a bad code" when you would think coding experts would not make such a simple mistake for such a huge company like FaceBook.
ReplyDeleteI have never heard about this exact breach in the past; however, this is one of the main reasons why I never created a FaceBook account. Yes, I am aware that you can access people's information through any social media app, but when hearing a while ago that people were being stalked on FaceBook for the simple information given on their profile, I chose to stay away for my own safety. Phone numbers, email addresses, profile names, and FaceBook ID numbers are all of which the types of data that has been leaked on FaceBook.
In my opinion, obviously FaceBook did not do this on purpose. I do believe that it was just a simple mistake in the code and caused this to happen. I do agree with you that it was not the best practice to not necessarily inform Irish Data Protection Commission of what was happening. One of the biggest concerns following this incident is to ask the question "Where do we go from here to make sure this does not happen again"? Is there even a way to put an end to this?
Erik, after reading your post and the article about this data breach it made me really think about the privacy on the internet. Companies continue to get hacked more and more and there needs to be a better protocol. I found it unbelievable that the 500 million user data that was stolen was not as large as it sounds. The statistic that you mentioned that this Facebook breach was not even in the top fifteen breaches of all time. Back to the focus of the article, I agree with you that there is only so much a company can do, in terms of protecting data from hackers. However, when I read that Facebook did not communicate to others about actively help prevent or stop another breach it was unbelievable. Today, everyone uses their phones throughout the day and our lives have almost become apart of our phones. These applications that we download are collecting data and it is scary that our private information can be stolen. Today, people practically have made smart phones essential needs in our lives. Therefore, these smart phones and application are constantly collecting data on us. Furthermore, we have seen that as technology continues to advance, so do the hackers. Personally, I don't believe that hackers will always find a way to breach a company's security system. Therefore, I think they should set up a protocol to be prepared for what actions need to be taken in order to limit the damage that is being done during the breach. Overall, I thought you had a very good analysis on this article and I learned that in terms of data breaching there is so much data available that a lot may not seem as much as it sounds.
ReplyDelete