Five hundred million affected by the Facebook data breach: What now?


You see the expression ‘data breach’ almost every day in the media. It refers to situations in which the data we have given to a service provider ends up being available to a third party who, in principle, should not have had access to it.

When this data is personal, the breach is of greater importance. That’s because any situation in which information relating to an identified or identifiable living person ends up in the hands of an unauthorized person or group of people may imply threats to your privacy.

Within personal data, some is more sensitive or critical than another. Our first name, last name, or address, for example, is not the same as our telephone number, Social Security number, bank account number, or genome, if we take it to the extreme.

The latest breach from Facebook

These days there is much talk of a breach in which personal data from more than 500 million Facebook users has been leaked, of which about 11 million are Spanish users. The data that has been published includes first and last names, address, birthdate, Facebook ID, phone number and, in some cases, email address. That is, it is personal data.

This data was leaked from the company in 2019 because of a security vulnerability that they claim was patched as soon as it was discovered. It appears that this database with the extracted data has been selling on the black market for data since then, until this past weekend [3 y 4 de abril de 2021] when it was published for free on a forum.

It should be noted that the data is already two years old, but in many cases remains valid as we do not change our phone number or email address very often.

Another important aspect is that it seems that not in 2019 nor now has Facebook bothered to notify the affected users of this breach or to provide them with any kind of details about it.

Are data breaches frequent?

Unfortunately, if data breaches are commonplace in the media, it is because virtually no day goes by when we do not learn about a new one. Recent cases from Facebook, Twitter, Microsoft, CapitalOne, Marriott, Equifax, Zoom, Spotify, or Nintendo have all been very high profile. But no company of any size (large, medium, or small) or sector (technology, hospitality, aviation, banking, administration) can escape. In 2020 alone, about 4,000 data breaches were reported, with 37 billion data records being leaked, 141% more than in 2019.

Knowing when the breaches happen is positive: all affected users should know about them as soon as possible to take appropriate action. In fact, almost all privacy and data protection regulations stress this point: If the providers that store our personal data suffer a breach, they are obligated to notify both the affected users and the appropriate supervisory authorities.

For example, in the case of Spain, they should notify the Spanish Data Protection Agency. And they should do so by providing all the information (no vague and generic communiqués where nothing is understood) and in a short period of time (at most, 72 hours). Notification that arrives six months later, when a media outlet releases news about the breach and there’s no other choice, is not a serious response.

The business of data

What is not so positive is that these happen so often. Why have data breaches become one of the most serious security threats lately? Why are they becoming more frequent and increasingly affect a larger number of users? Because personal data is the basis of many business models today, both legal and illegal.

In recent years the concept of surveillance capitalism has spread widely, referring to the current situation in which users’ personal data is one more commodity subject to being bought and sold. When this type of information is commercialized and has a value, different agents, such as service providers or application providers or owners of different types of resources, are interested in monitoring us in different ways to obtain all the data possible about us and our habits, tastes, routines, etc.

The collection and processing of this data can have advantages for users, as the services they consume can be customised to their needs. But obviously, it also has its risks, especially for privacy. The legal uses that suppliers make of this data may have benefits (commercial) for them, but not for users.

In addition, this data has to be stored somewhere and is not always sufficiently protected. If a third party, because of a security vulnerability, ends up accessing it, the doors are opened to all kinds of illicit or illegal uses.

Data stolen from these breaches is often the basis for social engineering attacks, personalised phishing or smishing campaigns for example. Also for attacks on bank accounts or credit cards. Or for identity theft, so that someone can pass themself off as the legitimate user (the victim), thanks to data stolen in the breach, on any service or application.

How does this affect users?

In the specific case of Facebook, the first thing we can do is check to see if we are one of the victims, as the company has not taken responsibility for making timely notifications. The data involved in the breach can be consulted in different public Internet sites.

Many users have breathed a sigh of relief by verifying that they have been affected but that their account passwords have not been involved in this breach. But the fact that passwords have not been involved does not mean that the breach is not serious.

As we mentioned earlier, personal data can be used as a basis for many different attacks. So don’t just modify your Facebook account password, check all your other passwords (make sure they aren’t based on personal data, and don’t reuse them), do not trust emails or SMS that look personalised and legitimate (because they mention our first name, last name, address, or birthdate), and do not use an SMS as a second authentication factor in services that are critical to us (because with the phone number and its association with the rest of our personal data, it is easier to steal someone’s identity).

In general, if we are involved in any other data breach, the recommendations would be the same. First, find out if we are one of the victims (ideally, of course, the provider would notify us). Next, take all these steps and, obviously, if in the data breach our password has been compromised, modify it on the platform in question and on any other where we used the same one or a variation.

By Marta Beltrán, Professor and Coordinator of the Engineering Degree in Cybersecurity, Universidad Rey Juan Carlos

This article was originally published in the Spanish version of The Conversation. The EADT is passing it along for your interest, although it does not necessarily reflect the Association’s position.