A huge collection of names and phone numbers dropped on hacker forums and passed to researchers over the past week may not be as open to abuse as passwords or credit card details, but criminals will still seek to use it for monetary gain.
The trove of personal data comes from Facebook and appears to have been scraped from the site before being sold around and eventually dumped. It includes more than half a billion phone numbers, matched to names, and a few million email addresses.
More than 500 million Facebook users have had their name and phone number dumped online.Credit:
In the time since the data appeared publicly, security researchers have been able to sift through and index it to assess the risk of it being used for harm, while criminals have no doubt been doing the same. On Tuesday, the data was loaded into Have I Been Pwned, an online service that can individuals if their data is available to crooks.
To check, people can simply type in their email address and hit enter. They can now also search for their phone number on the service by typing it in using an international format (for Australian mobiles that means putting 61 at the start, instead of 0) and hitting enter.
Independent security researcher Troy Hunt, who created and maintains Have I Been Pwned, said Facebook’s leak was significant, but the overall danger was moderate.
Fears that phone numbers could be used for SIM swapping — where criminals intercept text messages to force their way into bank accounts and other services — were overblown. The bad guys simply have a database akin to a phone book.
“We used to have data breaches [like this] every single year. They’d arrive on your doorstep and would be many, many pages of phone number and name associations,” Mr Hunt said.
“If we look at the volume of the data here, the risk is more about the things that can be done en masse than anything that is very targeted [like SIM swapping].”
If an individual discovers their phone number is among the millions leaked through Facebook, the likely outcome is that it will be used for spam messages and phishing attempts, where criminals try to coax people to reveal more valuable data by impersonating a service or authority. This is happening to most phone users quite often anyway.
Mr Hunt said if individuals found their number in the Facebook leak, it should be a reminder that personal data put on the internet can never be removed and that they need to practice good digital hygiene to prevent it from being used against them.
“Be alert for things like phishing scams. Don’t click links in spam, because it confirms you’re receiving and responding. That good old classic hygiene stuff.”
Facebook has sought to downplay the significance of the leak, saying the data was not obtained in a breach of its systems, but rather by exploiting the public-facing site in 2019.
Specifically, Facebook believes the culprits used automated software to abuse the contact-finding feature that once displayed Facebook profiles when people entered a phone number. The company said its site can no longer be abused in this way.
“While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly,” the company said.
Facebook also recommended users make use of its Privacy Checkup tool.
Business Briefing
Start the day with major stories, exclusive coverage and expert opinion from our leading business journalists delivered to your inbox. Sign up here.
Most Viewed in Technology
From our partners
Source: Read Full Article