A few days ago, the personal information of 533 million Facebook users was made freely available on the Internet. The Facebook data breach is from an August 2019 incident where hackers were able to scrape Facebook data about users from 106 countries. The leaked Facebook data includes member telephone numbers, their full names, locations, email addresses, marital status, work details and their Facebook user identification.
Facebook has said it has no plans to notify members that their personal data was leaked.
Facebook said that it “was not an issue that users could fix themselves,” according to an April 9, 2021 NPR article.
Why you should be worried.
The leaked Facebook provides enough data to create a complete profile on any individual in the data set. The leaked data ties a likely mobile number to a verified individual. Some records of the data leak include marital status and workplaces along with the gender of the Facebook member.
Those data points are enough from where to build a full profile on anyone in the leak.
Cambridge Analytica
Cambridge Analytica used the Facebook details of 270,000 members to build demographic profiles on over 87 million Facebook users. According to Cambridge Analytica, in October 2016 they said they had four to five thousand data points on some 230 million Americans. Cambridge Analytica’s data sets were used in the 2016 presidential elections.
How much influence the Cambridge Analytica had on the 2016 elections remains controversial with one side arguing it influenced electors and the other arguing it had little to no impact on the election.
However, the Cambridge Analytica scandal demonstrates how effective data from Facebook is for targeting users based on the demographics they share on Facebook.
Unlike previous data leaks of usernames, passwords and email addresses, the Facebook leak of mobile numbers should be more concerning for the Facebook members affected by the leaks.
Usernames and passwords are easy to change. Users have been conditioned to be careful with links shared on email.
But what about text messages?
An Example Of The Danger
Although we are not using the real name of one of the individuals in the data set, we are using an example of the leaked data to show how a criminal would go about misusing the data, we just changed the name of the individual.
Martha, not her real name, works at Walgreens according to the data leak.
We know that Martha is a female who is married. We also know that she is 48 years old. Suppose we use the included Facebook ID in the leak to scrape her public profile from Facebook to build a demographic profile on Martha.
From there we know that she has children and recently received the vaccine.
From there we could build a very convincing text message that we could use to get more information from Martha for criminal purposes.
Suppose that Martha suddenly received a text message that reads:
“Hi Martha, this Walgreens human resources, we have important payroll information to share with you. Please click this link.”
The text message includes enough specific information that can compel Martha to click on the link. It comes from her employer, Walgreens, and it is addressed to her. It includes a call-to-action that may make Martha click on the link without giving it too much thought.
Once Martha clicks on the link, the criminal knows that the phone number is valid. When Martha lands on the linked page, she is presented with a convincing Walgreens employee portal page. Martha is asked to enter her social security number so that she can authenticate herself so that she can read the important payroll message waiting for her.
She just provided her social security number to someone.
In another example, the demographic built from her Facebook data could allow a criminal to send another text message to Martha alerting her to an urgent vaccine message. Martha enters more personal information to verify her details so that she can read the urgent vaccine message.
Remember that the perpetrator has a lot of information about Martha, thanks to Facebook, that includes her date of birth, marital status and even the type of vaccine she received had she posted it on Facebook. Many Facebook users are posting their vaccine cards on Facebook.
All this information allows criminals to create convincing text messages that they can use to target victims.
Not Just Criminals
Just like criminals, mass marketers can glean much demographic information to target effective marketing campaigns to your telephone number. Think that your car warranty is annoying enough? Imagine endless texts targeting your future vacation plans, restaurants serving the foods you crave or coupons for products you are thinking of buying?
There is little you can do to stop the mass marketers from getting ready to target your telephone with endless text messages promoting their products to you.
The Facebook telephone leak has given marketers enough data on you to specifically target you with cost-effective marketing. Rather than the traditional mass marketing expecting a two to three percent return on investment, with the Facebook data marketers can now expect to substantially increase the likelihood of making a sale and thus their marketing costs do not increase while the annoying text messages substantially increase on your phone.
Is Your Number On The List?
We have created an easy-to-use tool to look up to see if your telephone number has been compromised by the Facebook data leak. Just enter your phone number to quickly find out if your number is on the list.
Important information. Thank you.
I never click any link in a text message (or email). There is always a website to go to and log in legitimately to check. I also ALWAYS report the phishing phone number to an alerting service. Many scam phone calls now come up showing ‘suspected scam’ or ‘possible fraud’ which I am assuming comes from reports like these.
That looks like a useful tool, but I’m in the UK, so it my mobile number isn’t covered (or is that because it wasn’t part of the leak?)