Facebook hacked on Dec 12th 2019

  • Thread starter Thread starter Evo
  • Start date Start date
Click For Summary
SUMMARY

On December 12, 2019, a database containing the personal information of 267 million Facebook users, including names, phone numbers, and Facebook IDs, was discovered exposed on a hacker forum. The database was not password protected and was removed on December 19 after researchers alerted the hosting provider. This incident highlights the ongoing risks associated with social media platforms and the importance of safeguarding personal information, as similar breaches have affected LinkedIn, Yahoo, and Disney in the past.

PREREQUISITES
  • Understanding of data security principles
  • Familiarity with social media privacy settings
  • Knowledge of multi-factor authentication (MFA) practices
  • Awareness of the implications of data exposure on the dark web
NEXT STEPS
  • Research best practices for securing personal information on social media platforms
  • Learn about data breach notification laws and user rights
  • Explore tools for monitoring personal data exposure on the dark web
  • Investigate the effectiveness of multi-factor authentication in preventing account hacks
USEFUL FOR

Individuals concerned about their online privacy, cybersecurity professionals, social media users, and anyone interested in understanding the implications of data breaches.

Evo
Staff Emeritus
Messages
24,032
Reaction score
3,277
Data Exposure Alert
Norton
Data of 267 million Facebook users exposed in an online database
What is Happening?
Data security researchers discovered an online database containing the names, phone numbers, and Facebook IDs of 267 million Facebook users available for download on a hacker forum. The database was not password protected and had been posted on December 12th. On December 14th, the researchers contacted the internet service provider that was hosting the database and the database was removed on December 19th.
Also LinkedIn and Yahoo have been hacked in the not too distant past, as has Disney. Be aware, don't put personal information on social media sites, change your passwords constantly.
 
  • Like
  • Informative
Likes   Reactions: WWGD, fluidistic, davenn and 1 other person
Computer science news on Phys.org
Do you have a link to the news article?
Evo said:
Be aware, don't put personal information on social media sites
Or maybe restate it as "put only the bare minimum of personal information they ask for". Twitter, for example, doesn't work unless you put in your mobile number.
 
Wrichik Basu said:
Do you have a link to the news article?

Or maybe restate it as "put only the bare minimum of personal information they ask for". Twitter, for example, doesn't work unless you put in your mobile number.
One reason I don't use Twitter. First reason is I could not care less for anything anyone says on Twitter.

It wasn't a news article, it was an email alert from Norton, I have their service that alerts me to security breaches. I also got a security alert from my credit card that alerts me if they find my email on the "dark web" I got an alert today that my email appeared on the "dark web" on Dec 12th" I was wondering what happened, then I got the email from Norton, it was the Facebook breach.

From my email alert (I x'd out my email address)
  • Dark Web Alert
    Compromised Email Address
  • Email Address
    xxx@xxx.com
  • Password
    Exposed
  • Date found on dark web
    Dec 12, 2019
 
  • Informative
Likes   Reactions: Klystron
jedishrfu said:
FORBES published an article on the breach:

https://www.forbes.com/sites/johnbb...---and-theyre-all-from-facebook/#5eb4274a5a6b
I can verify it's a real breach if you look at my last post you can see they took my email and password from facebook on the 12th.

Facebook asks you to add your phone number in case you get locked out of your account. DON'T DO IT!

Oh, and that Forbes article was posted right as I was posting this thread, there was nothing, only one website on google posting about it earlier, one I didn't want to link on. Notification from FB? NO. Of course LinkedIn never notified me of their HUGE breach where my info was taken, it was my credit card company that verified it. Only Yahoo and Equifax contacted me that my info had indeed been taken from their sites.
 
  • Like
Likes   Reactions: Imager
Wrichik Basu said:
Twitter, for example, doesn't work unless you put in your mobile number.
As @Evo said, you could not use Twitter.

Protecting your data sometimes means more that doing things safely. Sometimes, it means not doing them at all; even if they offer some benefit.

The whole social media industry is built on the idea of offering benefits to entice us to give away our personal information.
 
  • Like
Likes   Reactions: Astronuc, davenn, Evo and 2 others
anorlunda said:
As @Evo said, you could not use Twitter.

Protecting your data sometimes means more that doing things safely. Sometimes, it means not doing them at all; even if they offer some benefit.

The whole social media industry is built on the idea of offering benefits to entice us to give away our personal information.
That's the reason I never had a social media account till last month. Couple of days back, owing to certain circumstances, creating a Twitter account became a necessity.
 
Wrichik Basu said:
...
Twitter, for example, doesn't work unless you put in your mobile number.
?
I have a Twitter account and don't have a phone number listed.
Perhaps it's only true if you access Twitter via a mobile phone?
Since I don't own a mobile phone, I access Twitter via my laptop.

Btw, I got a very out of the blue message from a stranger on Friday accusing me of sending her "mean" content on Facebook. Since I didn't send anything to her, I recommended we both update our passwords, as I have no idea how such things can occur.
 
OmCheeto said:
I have a Twitter account and don't have a phone number listed.
Perhaps it's only true if you access Twitter via a mobile phone?
Since I don't own a mobile phone, I access Twitter via my laptop.
No idea how Twitter has allowed you, but people all over the net are frowning because Twitter has blocked accounts without a phone number. This is irrespective of whether you register from phone or laptop. For new users, you can't even access your account unless you give a phone number and that is verified by Twitter. There are some hacks, however, like using a Google voice number, but that works only if the service is allowed in your country (in my case, it isn't).
 
  • #10
I suspected a FB breach when I started getting calls on my mobile, supposedly from London, where the caller knew my name. As the number of people who have my number legitimately is very small, for someone else to have it connected with my name is unlikely unless it came from FB. The calls were trying to get me to invest in online trading, a scam my bank had already warned customers about.
 
  • #11
Wrichik Basu said:
...
people all over the net are frowning because Twitter has blocked accounts without a phone number.
I'm finding evidence of Twitter doing this when people also don't have an email account, but not because they only lack a phone number.

Or is it the fact that people can't function without a cell phone that's making them frown?
hmmm... Are we discussing the same thing, or are we talking past each other?

ps. I should really get some type of mobile phone. It's no wonder people look at me funny.

2019.12.22.mobile.phone.usa.percent.png

clickable reference
 
  • #12
OmCheeto said:
I'm finding evidence of Twitter doing this when people also don't have an email account, but not because they only lack a phone number.
While signing up for Twitter, I was given two options: sign up using email id, or mobile number. I choose email id because I did not want to share my phone number, but later found that the account won't be activated unless I give the phone number and they verify it by sending an OTP. Don't know whether they ask for email id if one signs up with phone number, but phone number is a must, at least for new users.
OmCheeto said:
Or is it the fact that people can't function without a cell phone that's making them frown?
hmmm... Are we discussing the same thing, or are we talking past each other?
Maybe talking past each other. Almost everyone has a cell phone, even if it doesn't have internet connectivity. What makes people frown is, Twitter won't allow them access to their accounts unless they register a phone number, and they don't want to give the phone number for privacy reasons.
 
  • #13
darth boozer said:
I suspected a FB breach when I started getting calls on my mobile, supposedly from London, where the caller knew my name. As the number of people who have my number legitimately is very small, for someone else to have it connected with my name is unlikely unless it came from FB. The calls were trying to get me to invest in online trading, a scam my bank had already warned customers about.
Does FB too, like Twitter, compulsorily require phone numbers, or is it optional?
 
  • #14
Wrichik Basu said:
Does FB too, like Twitter, compulsorily require phone numbers, or is it optional?
It's been optional but they were pressuring people to give it claiming that if you ever got locked out of your account, you could use it for verification. DON'T Do IT! FB even sent me a list of my friends that had given FB their phone numbers to coerce me to give mine. If I get locked out, which has never happened, there are other safer ways of getting unlocked.
 
  • #15
Evo said:
FB even sent me a list of my friends that had given FB their phone numbers to coerce me to give mine.
Holy mackerel. They think that giving you some of your friends personal info will make you have confidence in FB.
 
  • Like
Likes   Reactions: Evo
  • #16
anorlunda said:
Holy mackerel. They think that giving you some of your friends personal info will make you have confidence in FB.
I know! Oh Jane gave FB her phone number, social security, credit cards and bank account numbers, I should give them mine too! They're banking on herd mentality, I guess.
 
  • Haha
Likes   Reactions: Astronuc
  • #17
Wrichik Basu said:
While signing up for Twitter, I was given two options: sign up using email id, or mobile number. I choose email id because I did not want to share my phone number, but later found that the account won't be activated unless I give the phone number and they verify it by sending an OTP. Don't know whether they ask for email id if one signs up with phone number, but phone number is a must, at least for new users.

Maybe talking past each other. Almost everyone has a cell phone, even if it doesn't have internet connectivity. What makes people frown is, Twitter won't allow them access to their accounts unless they register a phone number, and they don't want to give the phone number for privacy reasons.
In the interest of science, I just created a new twitter account.
It's just as you say!
I had 100% access for about 10 minutes, and then I was locked out, and could not proceed without a textable phone number. They claim my land line is "unsupported".

They did though tell me this; "Contact our support team if you need additional help unlocking your account."

Which I did, and informed them I don't have a cell phone.
Their automated system said it may be a few days before I receive a response.
 
  • Haha
  • Like
Likes   Reactions: Evo and Wrichik Basu
  • #18
OmCheeto said:
Which I did, and informed them I don't have a cell phone.
They don't care about Luddite members. :sorry: Sorry, couldn't resist kidding. Happy holidays Om.
 
  • Haha
Likes   Reactions: OmCheeto
  • #19
OmCheeto said:
They did though tell me this; "Contact our support team if you need additional help unlocking your account."

Which I did, and informed them I don't have a cell phone.
Their automated system said it may be a few days before I receive a response.
Let us know what reply you get.
 
  • Like
Likes   Reactions: OmCheeto
  • #20
Wrichik Basu said:
Let us know what reply you get.
Don't know what it'll say, but I bet it'll come with a postage stamp on it. :oldbiggrin:
 
  • Haha
Likes   Reactions: anorlunda
  • #21
Just now removed my phone number from Twitter. Let's see what happens.
 
  • Like
Likes   Reactions: OmCheeto
  • #22
Evo said:
Be aware, don't put personal information on social media sites

This really undermines the 'social' experience that people seem to be looking for on these sites, but apart from that, most users are less informed than the PF cohort, so expose considerable personal information just through their sharing and commenting activities. Unless you are read-only on sites such as FB, Insta, TikTok, etc. you really can't help but reveal person details, no matter how hard you try to avoid it.

And as the Twitter comments have noted, the platforms themselves are working against underlying anonymity, so the risk of cell phone + user name + actual name + password reveal is certainly there (though, how does Twitter fight against troll farms undermining elections if they can't tie an account to a person? Can we have perfect privacy with perfect societal protection?).

Evo said:
change your passwords constantly

Yes, I 100% agree with this, and even better, enable two or multi factor authentication. A recent Microsoft study showed this stopped 99+% of account hacks. Thank you PF for your MFA capability :muscle:

However, these unexpected breaches really are small change in the privacy landscape, shocking as they seem. The NY Times thoughtful article on location data highlights how 'normal use' reveals so much about us, and it is being brokered behind the scenes in ways we give we no thought to. That's more troubling to me, because it is us willingly giving data away to them...without even knowing who them is!
 
  • #23
anorlunda said:
They don't care about Luddite members.
On the contrary. I think their somewhat "let's not make this too easy" methodology is to discourage trolls.

On their "suspended" help form they have the following:

Describe the nature of your appeal (for example, why you do not believe your account violated the Twitter Rules, or if you are having difficulties unsuspending or unlocking your account, or if you cannot provide a phone number).
Phone number (optional)

:sorry: Sorry, couldn't resist kidding. Happy holidays Om.

Ditto!
 
  • #24
Wrichik Basu said:
Let us know what reply you get.
Why, of course!
Though, I'm now worried, that Twitter may have a policy against "sock puppets", and just delete my new account.
I used my gmail email address to create it, as I don't use it for actual correspondence.
But upon further inspection, I discovered that my real email address is listed in my gmail settings.

Doh!
 
  • Like
Likes   Reactions: Wrichik Basu
  • #25
OmCheeto said:
Though, I'm now worried, that Twitter may have a policy against "sock puppets", and just delete my new account.
I used my gmail email address to create it, as I don't use it for actual correspondence.
But upon further inspection, I discovered that my real email address is listed in my gmail settings.
I don't think they'll be able to identify you, because real email addresses set up in gmail for forwarding (or otherwise) are not revealed. That is the whole purpose of email services allowing you to add another email address that you own; if people are able to find out your real email, then the purpose is no longer served.
 
  • #26
The NIST now recommends NOT to change passwords often. I think they assume people tend to pick weaker passwords, which is likely backed up by some studies. However if you use a password manager to create random-looking and high entropic passwords, I don't think it makes any difference (you only lose time by doing so, but no harm is otherwise done).
I don't think Facebook stores its passwords database in plain text, so the hackers (or better to say, crackers) won't be able to get to know your password unless it is so weak that its (salted?)hash value are known. So in my case, I wouldn't even change my password, if the password database had been hacked. A loss of time since the crackers will never get the password.

One website I often see recommended to check whether some of your accounts has been compromised is https://haveibeenpwned.com/ (see the Wikipedia page for instance https://en.wikipedia.org/wiki/Have_I_Been_Pwned?)

I think 2FA is indeed better (but not perfect, see the last days China's crackers exploit which bypassed 2FA) than just using a password. There are some hardware that can be used for that purpose (Yubikey, Nitrokey) but reading about their flaws in Wikipedia makes me reluctant to use them.
 
  • #29
:headbang:
Today I received a bank debit card in the mail, with my address, and someone else's name, with a bank I had an open credit card (>$10k available) account with.

Just got off the phone with the second customer service rep.
She and the previous rep were both delightful.

It appears that I have to go to my local branch on Monday, with the physical evidence, to kind of prove that I'm neither a kook, nor senile, for the most part.

Wait a minute. I was just online, and I didn't have a savings nor checking account, and my mortgage account was closed months ago...

So I've just closed the last account with that bank, and they're going to look at me on Monday, like I'm some sort of kook.

hmmmm...
 
  • #30
Wrichik Basu said:
No idea how Twitter has allowed you, but people all over the net are frowning because Twitter has blocked accounts without a phone number. This is irrespective of whether you register from phone or laptop. For new users, you can't even access your account unless you give a phone number and that is verified by Twitter. There are some hacks, however, like using a Google voice number, but that works only if the service is allowed in your country (in my case, it isn't).
Are you maybe allowed to use another voip service, such as Talkatone, or a proxy phone number app, such as Burner?