SecureMac, Inc.

Checklist 226: Yet Another Facebook Data Breach

April 16, 2021

A Facebook data breach has exposed 500 million + users. On this episode of the Checklist: Details, how to check if you were affected, and staying safe.

Checklist 226: Yet Another Facebook Data Breach

A massive Facebook data breach has exposed the personal details of over 500 million users. On this episode of the The Checklist, we’ll talk about:

Oops!…They did it again

We’ve discussed Facebook’s privacy issues before, touching on everything from the company’s endless pursuit of location data to the Cambridge Analytica scandal. Last week, we saw yet another example of Facebook’s problems with data privacy.

It turns out that way back in 2019, a security flaw allowed hackers to scrape a huge amount of personally identifiable information (PII) from over 500 million Facebook accounts. Fast forward to 2021, and all of that data has now made its way onto public hacking forums, where it’s freely available for download.

So what kind of PII are we talking about? It runs the gamut — everything from users’ account IDs and full names to their phone numbers, email addresses, birth dates, and location data. 

Facebook, for its part, says that it has no plans to inform affected users that they were, well, affected. Since the original incident happened in 2019, and since people change their phone numbers and email addresses frequently, Facebook seems to consider the breach “water under the bridge”. While that’s probably not the worst response to a data breach we’ve ever seen, it doesn’t exactly inspire confidence — and as we’ll see, users have good reason to be more concerned about this than Facebook appears to be.

So much for Facebook’s response to the breach. But what about government data privacy regulators? The United States hasn’t taken any action at all on the incident just yet, but Ireland has already launched an investigation.

Ireland’s Data Protection Commission (DPC) says that they’re looking into whether or not Facebook violated provisions of the EU’s powerful General Data Protection Regulation (GDPR). Since Ireland is an EU member state, their citizens are protected by the GDPR. At least some of the breached Facebook accounts appear to be from the EU, hence the DPC’s interest. According to a company spokesperson, Facebook is cooperating fully with the investigation.  

Was your account affected?

The leaked data may not sound like a big deal at first — after all, what harm can a hacker do with a phone number, or a birthday? But the truth is, this kind of PII is frequently used in social engineering attacks and identity theft schemes.

Beyond this, there’s also a direct threat to Facebook accounts. If someone has your Facebook ID and the email address associated with the account, they might simply try to break into your account by guessing passwords! If successful, they could go on to harvest sensitive data from your account area, or access your personal messages. They might also try to use your Facebook account to perpetrate a social media scam, which could affect your contacts or followers.

In addition, a phone number, in combination with a full name and country, could be very useful to a scammer or a spammer. This kind of semi-targeted attack is something that we see in many vishing scams, for example.

In short, the danger is real. But Facebook has almost 3 billion users, so how are you supposed to know if your account was one of the 500 million or so involved in the breach?

Well, if you frequent hacking forums, you could download and examine the full data set and try to find yourself among all that data. But fortunately, there’s an easier way. Cybersecurity expert Troy Hunt runs a data breach aggregation website called Have I Been Pwned. If you go to his site’s main page, you can enter the email address or phone number associated with your Facebook account to see if it appeared in the breach. Be sure to check for both, since some accounts had the phone number leaked but not the email address, and vice versa. 

Here it comes …

OK, so you know how to check to see if your account was involved in the data breach. If it was, that’s good to know … but the data is still out there. So what do you do next? Here are some recommendations for staying safe from the attacks and scams that may be headed your way:

  1. Protect your accounts

    To be on the safe side, it would probably be a good idea for everyone to change the password on their Facebook account, and to protect it with two-factor authentication (2FA). If you know that your email address was exposed in this breach, change the password on that as well — and turn on 2FA for the account if you haven’t already done so.

  2. Beware of phone scams

    In the coming months, be aware that there may be an increase in phone scams. Don’t give unknown callers any sensitive information over the phone, and be careful about calling back any number that someone else gives you. If you want some good general advice for dealing with unsolicited calls, have a listen to Checklist 211, where we discuss some basic best practices in the context of package delivery scams.

  3. Look for identity theft

    As we mentioned, PII is often used to perpetrate identity theft. Unfortunately, lots of people don’t learn that their identity has been stolen until long after it has already happened. At that point, it can be difficult, frustrating, and time consuming to undo the damage. If you need an identity theft refresher, revisit Checklist 47, and have a look at these tips for preventing identity theft.

  4. Be wary of “Facebook” emails

    When a big, high-profile breach occurs, hackers will use public awareness of the incident to launch phishing attacks. They’ll send out emails to people at random, and claim to represent the company that suffered the breach (in this case, Facebook). They’ll offer help, information, or compensation … but it’s all just an attempt to steal your data or infect you with malware. If you get an email about this breach “from Facebook”, be careful. Facebook has already said they’re not going to be reaching out to users about the incident, so more than likely, it’s a phishing attempt. For more information about phishing, and how to spot phishing emails, check out Checklist 37.

If you want a job done right …

So that’s how you can stay safe from the threats related to this breach … but is there anything you can do to protect your data from the next breach? Absolutely, and it’s important to try, because it’s becoming clear that you can’t always count on big tech companies to keep your data secure. With that in mind, here are some recommendations to help you protect your own data:

  1. Do the bare minimum

    When you sign up for a new app, account, or service — or even when you fill out a loyalty card application at a store — try to give out as little personal information as possible. Oftentimes, all they really need is an email address. But that won’t stop developers, social media sites, and businesses from asking for everything under the sun! So make it your default policy to give out as little personal information as possible. Remember, if they don’t have it stored on their servers, they can’t lose it in a data breach.

  2. Do your research

    Apps are some of the worst offenders when it comes to user data collection. Again, as a company has your data on their servers, it’s vulnerable to hacks, breaches, and leaks. So your best bet is to make sure that they never have that data in the first place! Before you install a new app on your device, do your due diligence and check out their privacy policy and data collection practices. Apple has made this easier than ever via their new system of App Store Privacy Labels, which we discussed on Checklist 218. It’s not a perfect system, so make sure that you also research a developer’s reputation and read the reviews of their app. But the Privacy Labels are a great place to start, because they can help you spot any obvious red flags when it comes to data collection — which is your cue to look for an alternative app!

  3. Use Apple’s privacy tools

    Apple builds a ton of security and privacy tools right into their products and platforms. So use them to your advantage! On Checklist 180, we discussed Sign in with Apple, a privacy-friendly login option that lets you create new accounts with just your Apple ID — and allows you hide your real email address from developers. There are also a number of great privacy features in macOS and iOS (some of which are still not very well known). On Checklist 199 we talked about how to use iOS 14 to protect your privacy, and on Checklist 207 we went through the security and privacy changes to macOS that were introduced in Big Sur.

  4. Share this show

    If you’re a regular listener of The Checklist, you’re probably way more security savvy than most of the people you know. But there’s the thing — what seems like “common sense” to you might be a complete revelation to your friend, coworker, or family member! And unfortunately, these folks may be unaware of all the risks out there, and of how to keep themselves safe. In the case of the Facebook breach in particular, with all of the exposed phone numbers, there’s a good chance of phone scams … scams which often target the elderly. So if you can think of anyone in your life who uses Facebook, and who might need to hear what was discussed on this show, please take a moment to share it with them.

Do you have an idea for a show topic, or a question you’d like to have answered on a future edition of the podcast? Write to us and let us know

If you’re looking for more security tips, news, and analysis, check out our archives — you’ll find full audio and show notes for all past episodes of The Checklist.

Get the latest security news and deals