Private information associated with some 7.3 million Australian Facebook accounts has been posted online after a massive data breach. Fraudsters gained access to the data in 2019, after which it was traded for money for a while before being unceremoniously dumped online this week for the world to see. The data includes the phone numbers of many users, an aspect that sets the data breach apart from many other incidents. It’s more common that email addresses and passwords are compromised in data breaches. “The exposure of phone numbers is noteworthy,” said Troy Hunt, an Australian web security expert and creator of the site Have I Been Pwned.
The site lets users plug in their email address or phone number to determine if it’s been included in any data sets exposed by criminals. Pwned is internet slang for “owned” – in other words, compromised. It can be unsettling to find out one’s details have been exposed in a hack. In some cases, plugging an email address into Mr. Hunt’s website can reveal a single account associated with multiple hacks, some dating back over a decade. But it’s good to be aware that it has happened. People are encouraged to change their passwords – as often as possible, significantly if it’s been associated with an online account that has been compromised.
As for the latest incident, while it’s unusual and significant – more than half a billion global users were affected – it’s not as worrying as some other breaches, Mr. Hunt said. “No passwords were exposed, so you shouldn’t worry about that. I would recommend heightened awareness more than anything,” he said. A possible consequence of having one’s phone number leaked online, mainly when associated with other personal details like name and suburb, is that scammers could seek to take advantage by sending spam messages or attempting a phishing attack.
Phishing is when a scammer attempts to access private accounts by tricking people into clicking harmful web links masquerading as safe ones. Facebook acknowledged the breach had happened in a press statement on Tuesday. But the company said it wasn’t technically a hack. Instead, the attackers took advantage of a loophole in the site’s system that allowed it to collect the phone numbers users had provided on a massive scale. The fraudsters uploaded large sets of phone numbers and matched them to other information using a feature designed to help Facebook users find their friends on the site by plugging in their numbers. “As a result of the action we took (at the time), we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” Facebook said in the statement.
