Trying to verify the data and add it to the company's breach alert service, the researchers bought the database for 500 XNUMX.
The database entries contained Facebook user IDs, which are unique, public numbers associated with specific accounts, full names, email addresses, phone numbers, timestamps showing the last login, relationship status and age.
How did the data leak? In a post, Cyble said it did not know, but its investigators suspect that the files could have come either from a leak in the Facebook developer API or from some scraping: the automatic collection of available data that you post yourself on Facebook or in other social networks.
However, the story does not stop there. In fact, it does not even start there. It turns out that the same database had been released in the past. It was spotted by security researcher Bob Diachenko and deleted by the host ISP. Reappeared, larger with another 42 million subscriptions to another server.
It was then destroyed by strangers who replaced the personal data with virtual data and left the message: "please_secure_your_servers".
Diachenko partnered with comparison and research site Comparitech on this project last month. Comparitech said the database had been exposed for nearly two weeks, freely available online without any password protection.
Timetable giving Comparitech:
December 4, 2019: The database is indexed by search engines for the first time.
December 12, 2019: The data was published for download in a hacking forum.
December 14, 2019: Diachenko discovered the database and immediately sent a report to the ISP that managed the IP of the server.
December 19, 2019: Access to the database stopped.
March 2, 2020: A second server containing identical data plus another 42 million was indexed by the BinaryEdge search engine.
March 4, 2020: Diachenko discovers the second server and notifies the hosting provider.
March 4, 2020: The server was attacked and destroyed aby unknown hackers.
The original database contained 267.140.436 records, mostly from Facebook users in the United States. Diachenko said all the files appeared to be valid. The same registrations existed on the second server in March 2020, but this time, there were an additional 42 million registrations.
Comparitech said 25 million of the new files contained similar information: Facebook IDs, phone numbers and usernames. However, the 16,8 million entries had even more, such as gender, email address, date of birth and other personal data.
Both Cyble researchers and Diachenko himself do not know how leakage, but both agree that it could be from a security flaw in Facebook's third-party API that existed before the platform restricted access to phone numbers, or that allows malicious users to steal user IDs and phone numbers even and when Facebook restricted access to the API.
Both Cyble and Diachenko argue that alternatively, the leak may come from scraping, which is a good reason to reconsider how much data you share publicly on Facebook.
In other words …
Stop exposing yourself!