Ne’er-do-wells leaked personal data – including phone numbers – for about 553 million Facebook users this week. Facebook says the data was collected by 2020 when it changed things to prevent such information from being scraped from profiles. In my opinion, this just reinforces the need to remove cell phone numbers from all your online accounts where possible. In the meantime, if you are a Facebook
product user and want to learn if your data was leaked, there are easy ways to find out.
The HaveIBeenPwned project, which collects and analyzes hundreds of database dumps containing information on billions of leaked accounts, has incorporated the data into its service. Facebook users can enter the mobile number (in international format) associated with their account and see if these figures were exposed in the new data dump (HIBP does not show you any data, just gives you a yes / no if your data shows up).
The phone number associated with my late Facebook account (which I deleted in January 2020) was not in HaveIBeenPwned, but Facebook again claims to have more than 2.7 billion active monthly users.
It seems that much of this database has been kicking around cybercrime in some form since last summer at least. According to a Twitter post from January 14, 2021 from Under the Breach’s Alon Gal, the 533 million Facebook account database was first put up for sale back in June 2020, offering Facebook profile data from 100 countries, including name, mobile number, gender, occupation, city , country and marital status.
Under The Breach also said back in January that someone had set up a Telegram bot that allows users to search the database for a small fee and allow people to find phone numbers associated with a large number of Facebook accounts.
Many people may not consider their cell phone number as private information, but there is a world of misery that the villains, stalkers, and creeps can visit in your life just by knowing your cell phone number. Sure, they could call you and harass you that way, but more likely they will see how many of your other accounts – at major email providers and social networking sites like Facebook, Twitter, Instagram, for example – rely on this password reset number.
From there, the target is primed for a SIM swapping attack, where thieves trick or bribe employees of mobile phone shops into transferring ownership of the target’s phone number to a mobile device controlled by the attackers. From there, the villains can reset the password to any account to which the mobile number is tied, and of course intercept any one-time tokens sent to that number for multifactor authentication.
Or the attackers take advantage of some other privacy and security that curls up in the way SMS messages are handled. Last month, a security researcher showed how easy it was to abuse services designed to help celebrities manage their social media profiles to intercept text messages to any mobile user. This weakness has apparently been patched for all the major wireless operators now, but it really makes you question the common sense by relying on the internet equivalent of postcards (SMS) to safely handle quite sensitive information.
My advice for a long time has been to remove phone numbers from your online accounts wherever you can and avoid choosing SMS or phone calls for other factor or one-time codes. Phone numbers were never designed to be identity documents, but that’s actually what they have become. It’s time we stopped letting everyone treat them that way.
All online accounts that you value must be secured with a unique and strong password as well as the most robust form of multifactor authentication available. Usually this is a mobile app like Authy or Google Authenticator that generates a one-time code. Some sites like Twitter and Facebook now support even more robust options – such as physical security keys.
Removing your phone number can be even more important for any email accounts you may have. Sign up for any service online and it almost certainly requires you to enter an email address. In almost all cases, the person in control of this address can reset the password for all associated services or accounts – simply by requesting a password reset email.
Unfortunately, many email providers still allow users to reset their account passwords by having a link sent via text to the phone number registered for the account. Then remove the phone number as a backup for your email account, and make sure a more robust second factor is selected for all available account recovery options.
Here’s the thing: Most online services require users to provide a mobile phone number when they create the account, but do not require the number to remain associated with the account after it is created. I advise readers to remove their phone numbers from accounts where possible and to take advantage of a mobile app to generate any one-time codes for multifactor authentication.
Why did KrebsOnSecurity delete its Facebook account early last year? Sure it might have had something to do with the incessant stream of violations, leaks and privacy betrayals from Facebook over the years. But what really bothered me was the number of people who felt good about sharing extraordinarily sensitive information with me on things like Facebook Messenger, while at the same time expecting me to be able to guarantee the protection of this message just by virtue of my presence on the platform.
If readers want to get in touch for any reason, my email is here krebsonsecurity at gmail dot com, or krebsonsecurity at protonmail.com. I also answer Krebswickr on the encrypted messaging platform Wickr.