Facebook's giant data leak almost slipped right by everyone. Except for Phishing attackers.
We've heard of banks that are too big too fail.
What about security breaches that are too big to disclose? Can that be a thing?
...information from more than 530 million Facebook users had been made publicly available in an unsecured database.
Back in 2019, Facebook realized a massive data gathering campaign on their site. Data aggregators (malicious or otherwise) were "scraping" data from user profiles.
Ultimately, it amounted to data on 530 million people.
Affected users have never been informed, and we're just now learning more about this data leak.
First, it's easy to get lost in the magnitude of the data exposure.
530 million is larger than the entire population of the United States. And by a factor of almost 2x! (assuming toddlers aren't born with Facebook accounts. Yet.)
So this is massive.
...we can’t always prevent data sets like these from recirculating or new ones from appearing.
Facebook made it clear that the lost information "did not include financial information, health information or passwords."
So that's great, right?!
Sometimes it's what they didn't say what is included.
We've previously asked how Phishers target their victims. This is how!
Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums...
We know these attackers were able to scrape info on over a half a billion people, to include name, phone number, email address, job title, favorite pet name... whatever you crazy people put on Facebook!
This is more than enough information for an attacker to start a Phishing attack.
Attackers just need an email address. And it gets much more vicious when they can pair that with deeper information a cell phone number, a job title, a recent vacation, a love for labradoodles.
And since they can automate that process of sending malicious emails, it's just a matter of time before millions of crafty Phishing emails are generated.
So what do you do about this?
The data is out there.
Facebook themselves said "we can’t always prevent data sets like these from recirculating or new ones from appearing..."
You can start by finding out whose data has been exposed on your team. INFIMA's Partners do that with Web Exposure Reports.
These reports detail all of those publicly available emails and identifying information that Phishing attackers use to launch their weaponized emails.
Next, you Train your users to avoid these incoming Phishing attacks.
We make that easy too...
Consistent Security Awareness Training is one of the lowest cost critical security items in your arsenal.
Start with a quick quote - hit us up