In 2019, Facebook experienced a major breach, with the personal data for hundreds of millions of users being leaked online, but it appears the leak only became publicly known in April 2021.

 

Earlier this month, news reports started to emerge that social media giant, Facebook, had experienced a major data leak, resulting in the personal information of over 530 million of its subscribers, in more than 106 countries, being published online. The information leaked included, profile names, Facebook ID numbers, subscribers’ full names, location, email addresses, and phone numbers, though it reportedly did not include passwords or financial information.

At the time of publishing, details on the breach are still unclear, but it appears that the leak occurred before August/September 2019, due to “a flaw in a Facebook address book contacts import feature” (Source: Wired). However, it seems that Facebook had not previously disclosed the breach, and only confirmed it had occurred when news of the exposed data began to receive global attention few weeks ago.

It is highlighted that as at 2021, Facebook is reported to have approximately 2.7 billion subscribers worldwide. For a global population of around 7.8 billion people, it means that:

  • One in three people worldwide are Facebook subscribers; and
  • the personal information for one in five Facebook subscribers was exposed in the above-mentioned breach.

It is also important to highlight the following points:

First, it may be prudent to keep in mind that Facebook owns a number of other platforms, including Facebook Messenger, Instagram and WhatsApp. As a result, there is a high probability that the email addresses and phone numbers listed in compromised Facebook accounts, are the same ones attached to Facebook Messenger, Instagram and WhatsApp accounts as well. It is also likely that Facebook IDs, email addresses and phone numbers would act as pointers to accounts on Facebook Messenger and Instagram, in particular, thus making it easier to develop a more comprehensive profile of a subscriber.

Second, although the vulnerability that facilitated the leak was reportedly patched by Facebook in the latter half of 2019, individuals who had subscribed to Facebook before the fix was implemented would be among those whose information were leaked. Hence, long-time subscribers of Facebook ought to take note.

Finally, although Facebook’s subscriber base has been, and continues to be, growing, in the Caribbean region, for example, and among the younger generation, Instagram appears to be the more popular platform, and WhatsApp is perhaps the most widely used instant messaging platform. To those who may have abandoned their Facebook accounts, they still exist, and identifiers being used on other platforms, such as email addresses and phone numbers that are still current, may have been exposed in the Facebook breach.

With the personal information for one in five Facebook subscribers being exposed in the leak, it may not be unreasonable to believe that you were among the four whose information was not exposed. However, based on the reasons outlined below, it may be better to err on the side of caution, and revisit your security settings, not just on Facebook, but on all of your digital accounts.

 

1.  Facebook will not be notifying subscribers whose accounts have been compromised

According to a Reuters article published last week, Facebook does not intend to notify the 530 million-plus subscribers whose accounts had been compromised. Reasons given for that posture included the following:

  • the company was not confident it can identify and account for all subscribes who would need to be notified
  • subscribers cannot not fix the issue
  • the data was already publicly available; and
  • the vulnerability was fixed in 2019 once it had been identified.

Regardless of whether you agree or disagree with the stance Facebook has taken, it is possible that your information may have been compromised. Hence, there some onus on you, as the subscriber, to be proactive and revisit your Facebook account details.

 

2.  Many of us are still using weak passwords

Back in the day, a strong password would only need to comprise eight characters, that is, a combination of upper and lower case letters and numbers, which do not form logical or commonly used words or generic passwords. However, in recent years, it was recommended that special characters be included and passwords be lengthened – ideally to 12 characters.

As at 2021, and based on our most recent Expert Insight conversation, the recommended password length is at least 15 characters. According to Sean Slattery, who we spoke with for that podcast episode, the processing power available makes it a cinch to crack passwords with 12 or less character. As password length gets longer, and use complex combinations of upper and lower case letters, numbers and special characters, the longer it will take to crack them. As shown in the table below, it pays to have complex and long passwords.

 

 

3.  Your Facebook credentials can be used to login to other platforms

Finally, and in the reports published to date, it does not appear that subscriber information leaked is sufficient to log into other platforms and services that allow Facebook credentials to be used. However, in having a subscriber’s profile name, full name, Facebook ID, and email address, and especially when a weak password has been used for Facebook, it may not be too difficult to gain access to subscriber’s accounts on other websites, including ones on which purchases can be made and credit card information is stored.

Noting how easy it is to use your Facebook credentials to access services on another platform, instead of creating separate accounts – and passwords that you need to manage – the potential knock-on effect begins to emerge, if your Facebook account is compromised. Once again, and in the spirit of being proactive, the effort could be made to double-check the accounts for which Facebook credentials are being used, and a determination made on how best to proceed.

 

 

Image credit: Blogtrepreneur (flickr); Reddit