Security Week 14: Massive Facebook Data Leak

3 min

On Saturday, April 3, a huge database of users of the social network Facebook got into the public domain. On one of the cybercriminal forums, there were records about 533 million users from 106 countries, including slightly less than 10 million accounts from Russia.

In response to a media request on Facebook confirmed the fact of leakage. It was like this: back in 2019, someone took advantage of a vulnerability in the tool for finding friends, which itself raises doubts from the point of view of privacy. This feature uploaded the user’s phone book to the servers of the social network and invited him to add the people he found to his friends. As it turned out later, the tool made it possible to brute force through the entire array of phone numbers and upload data on a large number of users – approximately 20% of the total number of accounts on the social network.

In the same 2019, a similar problem found in Telegram: busting phone numbers helped to find out the user’s nickname, and through the database of mobile operators – to link the account in the messenger with a real person.

For obvious reasons, passwords did not leak from Facebook, but a lot of personal data got into the public domain: names, location, information about the employer, gender, date of registration. The base from 2019, apparently, was sold on the black market for some time, and in January of this year, a bot appeared on Telegram that sells data by phone number. Relatively few e-mail addresses associated with accounts have leaked: Troy Hunt added to the service database Haveibeenpwned only 2.5 million records.

The leak alone is unlikely to add new risks to the individual user. For a long time, a simple rule has been applied to social networks: if you transfer some data to them, consider it public, even if some privacy settings are applied.

This story brings up the topic of phone number security again – a key way of identifying a person. Changing a number is even more difficult than a postal address, its loss is fraught with direct financial damage, and there are many ways to intercept data transmitted via SMS. It is easy to imagine an attack scheme in which cybercriminals determine a user number after leaking such databases, and then, through social engineering or direct substitution of a SIM card, they gain access to a bank account. It is clear what to do with this, although these actions cause additional difficulties. For example, switch to other means of two-factor authentication or use different numbers for registering on public services and for accessing banking services. As usual, punctures from third-party services that freely handle user data bring problems to the users themselves.

What else happened

In QNAP network devices discovered two critical vulnerabilities: authorization bypass and arbitrary data writing. The latest firmware fixes at least one of them.

GitHub specialists investigate non-standard vulnerability in its own infrastructure. The attackers took advantage of the GitHub Actions tool, which automates actions when working with source code. The possibilities turned out to be too wide – up to the launch of cryptominers directly on the company’s servers.

Lockers, a computer attack from at least a decade ago, have become less common with the development of ransomware Trojans. In fresh research Kaspersky Lab experts remind that malicious programs that require a ransom for unlocking a computer have not gone anywhere. This article discusses blockers that work strictly in a web browser.

Other study Kaspersky Lab describes a targeted attack that exploits, among other things, vulnerabilities in the Pulse Secure VPN client.

Detailed description zero-click vulnerabilities (that is, requiring no action from the user) in the Apple Mail client. The vulnerability allows changing client settings, for example, modifying the signature. The problem was closed in July last year.

In February, we wrote about a cyberattack on security researchers: they tried to hack their computers using a fake site with a description of vulnerabilities. At Google report on the relapse: researchers were lured to a site allegedly owned by a Turkish penetration testing service containing a browser exploit. For more effective luring in social networks, they created believable profiles of employees of the fake organization.

The owners of the public PHP source repository at the end of March reported about an attempt to inject malicious code there. See also the discussion on Habré.

A recent study analyzed (news, PDF) telemetry collected from iOS and Android devices. Authors’ conclusions: data both there and there are transmitted on average every 4.5 minutes. Google OS transfers 20 times more data than iOS. The last statement was challenged by the Android developers: the point is not that they collect less data, but that not all telemetry of Apple’s mobile OS could be counted.

In the npm package Netmask discovered a serious error when processing IP addresses if there is a zero at the beginning of the address. In the simplest example, the address 0127.0.0.1 can be converted to


Leave a Reply