Anyone in the security space knows that using the “B” word (breach) is very dangerous and prefer to use the safety word “incident.” However, for the past two-years, U.S. consumers have seen (and felt) the damaging effects resulting from BREACH AFTER BREACH of Facebook’s platform. And all I have to say is thank god the CCPA is coming into effect January 1, because 2020 will be the year that Facebook is seriously held accountable for its reckless disregard for user information, and what seems to be a never-ending cycle of the company announcing breach after breach.
And rightfully so, it should receive harsh penalties for its clear lack of judgment.
And if you doubt it, just wait until the 2020 election period grows even more intense.
At this point, it’s absolutely sickening to see how much power and control the company has and the complete disregard for its users it has. But with massive news like this, what do you think Facebook’s latest excuse was following last week’s announcement concerning the latest data breach affecting over 276 million Facebook users?
“The data was probably harvested before Facebook made recent changes to better protect user information.”
Security researcher Bob Diachenko first reported his finding of a database, according to Comparitech, with the names, phone numbers, and unique user IDs of more than 267 million Facebook users, all U.S. based, on the dark web, this past Thursday.
His evidence? Diachenko provided the Associated Press with a 10-record sample from the database, which included the IDs and two phone numbers, which upon calling, were real Facebook users.
Elasticsearch Is Back
The database, which Diachenko discovered on an Elasticsearch server, was available for download on a separate hacker forum on the dark web. However, thanks to Diachenko immediately notifying ISPs on December 14, the 10-day window of free accessibility was then closed, removing it from the indexed inter-webs.
Elasticsearch is an open-source search engine that allows for full-text search and analytics that scan and scrape large volumes of information. But this isn’t the first time Elasticsearch has come into the spotlight, as earlier on, a massive 4 TB data dump was briefly available on the platform with social media and personal information for over 1.2 billion people, which originated from data brokerage firms, including California’s data broker People Data Labs.
The data collected is believed to be the unauthorized conduct by criminals in Vietnam who may have “scraped” it through the use of bots from public Facebook pages or by somehow obtaining privileged access to the information. Again, how are these two scenarios even possible?
Prior to 2008, Facebook allowed for users to search for one another by inputting a phone number into its search query. However, the feature was eventually “disabled” (probably never removed given the circumstances), following the Cambridge Analytica scandal which “accidentally” accessed without authorization the Facebook accounts belonging to approximately 87 million users.
What’s the Excuse Now?
In the company’s latest statement, it indicated that it was investigating the issue and that the finding “likely” involved information obtained before Facebook took unspecified data-protection measures in recent years.
Of course that’s what their response was, considering the call for the company to be broken-up for a number of reasons, mostly because it has essentially grown too big for company executives to even manage themselves. But don’t forget the anti-trust investigation surrounding the company’s 2014 acquisition of the messaging platform, WhatsApp.
The company has advised users to adjust their privacy settings to “Friends” and set the “Do you want search engines outside of Facebook to link to your profile?” setting to “No.”
Also, if you get any unsolicited text messages from “Facebook” or anyone else you may not recognize, DO NOT answer or return the call of those individuals.
Lesson #1: Don’t Blame Your Users
At the end of the day, it’s somewhat refreshing that Facebook at least hasn’t attempted to blame its users, unlike Amazon and its Ring doorbell product line.
Following Ring’s data breach, Amazon hasn’t stepped up to implement any of its security enhancements, but rather, has instructed its users to enable two-factor authentication and other condescending measures such as “changing your passwords.”
Although, it does make sense as the New Year approaches to change your passwords to all those accounts you regularly use.
“This is timely,” Peter Galvin, chief strategy and marketing officer at nCipher told us.
“According to our research, 72% of Americans say they plan to update their passwords and practice better personal security habits in the New Year. Nearly a quarter admit they update their passwords once a month or more. But – their plans are not full-proof. One in four Americans admit to a common security tactic that could easily be guessed by a hacker: they are going to include the current year when setting-up a new password.” All consumers should practice good password hygiene including updating their passwords and using multi-factor authentication (for example sending a message to your phone) to keep hackers at bay.”
‘Tis the Season for the CCPA
Just in time for the holidays, Facebook will probably be the very first case-study for how the CCPA will impact Silicon Valley’s largest tech giants, as the United States’ first state-wide privacy regulation is set to go into effect come January 1.
But these security incidents are not uncommon especially around the holiday time as phishing attempts, identity theft attempts, and malware seem to flood the inboxes of hundreds of thousands of U.S. consumers by the hour.