As users of the world’s biggest social media platforms struggled with a massive global outage on October 4, reports emerged that the personal information belonging to more than 1.5 billion users were being sold on the dark web.
A number of screenshots emerged online indicating that a threat actor had advertised the stolen data, with media outlets rushing to analyze the screenshots that have pointed out a serious longstanding problem – Facebook is not secure.
In addition, a popular post on social media showed that the Facebook domain is apparently put up for sale. A quick “whois” check on domaintools.com indeed confirms that facebook.com was being advertised (See Below).
On the dark web’s Dread forum, users on the sub dread “OpSec” were quick to comment on the Facebook outage in an attempt to get a sense of what may have happened to the social media app.
One user /u/mrmelkis spread the rumour that Facebook had suffered a DDoS attack. He said, “Somebody did it pretty good – all three down! Unofficial source informed – DDoS”. However, another user disagreed by mentioning that the social media giant had suffered a Domain Name System (DNS) issue which had resulted in the global outage (See screenshot).
How User Data Ended up in the Dark Web
Reportedly, the dark web traders have claimed that they managed to harvest the user data by scrapping rather than hacking the world’s biggest social platform. What’s even more interesting to their claim is that they may have pulled this off without the need to compromise individual user accounts.
The scrapping process involves the application of web data extraction processes where publically available data is accessed and organized into databases. The technique itself is not illegal. In fact, web scrapping (also known as web crawling) was historically associated with notable search engines like Google.
The search engines that made web crawling popular did so by building trust and sending back traffic and visibility to the online platforms they crawled – the bots established a solid reputation that lives to this day.
Having said that, web scrapping becomes illegal when a threat actor tries to scrape nonpublic data. This kind of data may be anything that is beyond the reach of the general public online. An example of such nonpublic data is anything that must be accessed after a login process.
You may now be wondering – how is Facebook data scrapped?
Most of the user data from Facebook is simply scrapped from profiles that have been set to “Public” by their owners. The unfortunate reality, however, is that most of the personal information belonging to users is normally shared by the specific users themselves – mostly unknowingly.
The illicit aspect of data scrapping that targets Facebook users is presented in the form of fake Facebook surveys or quizzes. At some point in their online lives, the majority of Facebook users must have come across quizzes with titles such as “Answer these questions to find out where the love of your life is located”.
Most of these quizzes turn out to be traps that are laid by threat actors with the aim of harvesting the personal data of unsuspecting victims. Truth is, every time a user participates in any of the fake surveys, they give express permission to quiz creators to view their sensitive Facebook information such as full name, email address, cellphone number, physical address and gender.
These circumstances, and the claims made by the dark web cybercriminals that have advertised the Facebook data for sale, may open a Pandora’s Box once investigations into the latest cyber events are opened up.
What Are the Potential Risks?
While no accounts have been compromised, this is very little consolation to users whose data will be used by internet marketers and cybercriminals.
Unscrupulous marketers may leverage the data to push their agenda by bombarding specific users or groups of people with annoying adverts. This possibility is brought about by the very nature of the data that has been put up for sale on the dark web. Apart from cellphone numbers, location and users’ full names form part of the data that has been dumped online.
Additionally, SMS and Push notification spam may arise owing to their increase in popularity among unethical actors across the world – take note that most countries have ratified law that ban these practices.
Otherwise, if the Facebook users are lucky enough to escape unsolicited adverts from internet marketers, they may be exposed to phishing and social engineering attacks. The fact that Facebook accounts and online banking logins fetch as little as $10 on the dark web makes the situation very worrying – this cheap price means that the majority of hackers will not mind the cost of pulling off a cyberattack on victims.
Hacker identification of people’s cellphone numbers may result in the cybercriminals sending fake SMS messages to target victims whilst impersonating legitimate organizations such as banks.
On receipt of the messages or emails, oblivious users may find themselves clicking on links to either claim a prize, update their security settings, change their passwords or engage in other official activity.
It is through this process that the cybercriminal will succeed to redirect their target to a cloned version of the online platform that they purport to represent. This may lead to the user unknowingly entering their actual password before the hacker behind the scenes manages to take over the victim’s account.
Protect Yourself from Facebook Cybercrime
In order to protect yourself from potential data breaches through your Facebook account, the first thing you must take advantage is the already-existing privacy settings on the app. The social media platform has provided a variety of security settings that can go a long way to limit the information that can be viewed by people beyond your friends list.
As best practice, make sure that there settings are activated on your account and avoid the impulse of accepting friend requests from strangers who may not even be within your mutual friends circle.
Also, in the context of account security, be sure to set difficult security questions for all your social media accounts. Considering that it may be easy to remember things like your anniversary, you should be aware that some cybercriminals may be able to gather this specific detail based on the content you post online.
Instead, consider tough questions that only you may have answers to but can still remember such as the “name of your favorite 9th grade teacher”.
In addition, it is recommended that you avoid setting your Facebook account to “fully public”. It also goes without saying that you must resist the temptation of entering random quizzes, surveys or games unless they have been offered by legitimate publisher.
Finally, do not post about every little detail of your life on social media. Cybercriminal tends point to the fact that people who overshare information online become particularly susceptible to cyberattacks.
At the time of the outage, the social media giant admitted it was “aware that some people are having trouble accessing Facebook app” although the issue was since resolved hours later.
Facebook has since not given a clear picture concerning the origin of the outage that started at around 11:45 ET. While it may be normal for websites and apps to suffer outages from time to time, a global event like this is considered to be rare.
Point to note, Facebook is currently undergoing a major crisis involving a whistleblower who provided content to The Wall Street Journal’s series of stories about the social media company’s awareness of internal research into the negative effects of its products and decisions.