Two major databases have been leaked in the past weeks. The first one concerned Facebook users' information, the second one contained data of LinkedIn users. These leaks share not only the date and method of disclosure (both sets of data were originally uploaded on RaidForums, a hacker forum), but also the fact that they included a considerable number of records.
Leaked data, which can be accessed free of charge, comprises 533 million Facebook users from 106 countries. Among them are over 2.5 million Poles, 11 million Britons, 30 million Americans and 7 million Australians. Importantly, this is not a new data leak. Facebook has patched the vulnerability which allowed to obtain that data a long time ago, indicating that it likely dates back to late 2019. Since 2020, the database was available to anyone who was willing to pay for a copy of the entire collection. Now, although slightly modified, it is available for free. What does it include? Not private messages, nor passwords or their hashes. Instead, we can find names and surnames, phone numbers, email addresses, genders, occupations and the place of residence of 533 million Facebook users. The leak occurred due to a bug in the contacts import feature. Most likely, attackers generated billions of fictitious profiles that sequentially generated phone numbers. When attempting to import fabricated contacts, the Facebook application interface returned data (included in the database that was made public) if the phone number was valid. All leaked records were uploaded to a database at the HaveIbeenPwned website, thanks to which we can easily verify whether our data has been stolen.
Less than a week after the first leak was announced, news broke about another one. A file containing 2 million LinkedIn profiles appeared on the same forum where Facebook user data was shared. At the same time, the seller who wrote the post assured possession of 500 million other accounts and offered to share them with anyone willing to pay a four-figure sum. LinkedIn reported that the stolen data did not contain any private information about users. The data set extracted from the sample available free of charge confirms this position – it included: email addresses, phone numbers, genders, job titles and other data that is publicly available online, on users' profiles. The data did not comprise any sensitive information, passwords or credit card numbers. It only included information that was publicly available on LinkedIn profiles, hence it could be concluded that, most likely, it had been obtained through web scraping. This technique allows certain software to automatically extract data available from other software or websites. Presumably, the hackers simply “scraped” publicly available data with a computer program that they created to mechanically gather information.
Therefore, did nothing wrong happen if both data sets did not contain any information that could be considered confidential? It is worth remembering that being in possession of one’s email address could be enough for a competent cybercriminal to cause substantial damage. For this reason, many national Computer Incident Response Teams (CIRTs) have issued relevant announcements, reminding  of the most common types of attacks, related to the leak of such data. These include, but are not limited to: impersonation of a user in order to send malicious links (requests to transfer money or generate one-time passwords, e.g., the BLIK code), or using obtained user data to take over other accounts, for instance, resetting passwords by answering secret questions on the basis of personal information collected from publicly available sources.
Attacks conducted on the basis of the data leaked in the Internet occurred shortly afterwards. Multiple phishing campaigns were observed in Poland already after a week. Scammers sent SMS messages to phone numbers, obtained from leaked data, hoping that an inattentive recipient of a text would click on a link included in it. The messages contained false information such as notification about an awaiting package or a necessity to pay an overdue invoice or an electricity bill. Obviously, the link was a scam invented only to extort money. Every day a number of people fell for the exemplarily fabricated payment panels, from which we supposedly can log into our bank account or make an online payment. Fraudsters intercept data required to access banking services and victims lose their savings in this way. Last year, CERT.PL (Computer Emergency Response Team) blocked 32,000 domains used for offences such as the ones described above.
Similar practices took place in the USA where a number of messages, in which fraudsters impersonated banks by sending a link that was supposed to be a new bank statement with an alleged overdraft, have been circulating lately. Another common type of attack involves impersonating popular online stores, such as Walmart or Amazon. The procedure is similar in both cases – a link leads to a fake website which looks just like the page of a real bank or a payment gateway. When logging in, the victim provides its access data to the scammers.
Consequently, how to defend against thieves? First of all, by being more vigilant when it comes to providing personal information on the Internet. Cybercriminals can use it to carry out spear phishing and, accordingly, for fraudulent and other corrupt practices. Before clicking on any link, let us verify the domain, or, if still in doubt, check its credibility by using a search engine.
Author: Wiktor Sędkowski
Wiktor Sędkowski graduated in Teleinformatics at the Wrocław University of Science and Technology, specialized in cybersecurity field. He is an expert on cyber threats. CISSP, OSCP and MCTS certificates holder. Worked as an engineer and solution architect for leading IT companies.
This article was written as part of the statutory activities of the Polish think tank Warsaw Institute. If you appreciate the content prepared by our partner, we appeal to you for financial support for this non-profit organisation.