A 2019 Facebook data breach came back to haunt the company and affected users a few weeks ago when the data that hackers scraped from the site from more than 533 million accounts resurfaced online. Facebook dealt with the situation awfully, saying that the security issue was patched when the data breach was first discovered and that it won’t even notify impacted users. One of those users turned out to be Facebook CEO, Mark Zuckerberg. Researchers used his data to prove his phone number is associated with an existing Signal account, a chat app that competes against WhatsApp and Facebook Messenger. This showed how personal data could be used to target victims. There is little that Facebook users can do to fix the issue, as the circulating database can’t be deleted. They can try to figure out whether their data is included in the hack. Changing the phone number associated with their identity in the database is also an option.
The second hack was more limited in scope. There’s a tool that allows people to find out the phone numbers of Facebook users who “liked” a page on a social network. The hack is unrelated to the database leak that impacted hundreds of millions of accounts.
A new report now indicates that a third data leak might be looming, and it could be of the same variety as the 2019 security issue. Attackers might be able to scrape emails belonging to millions of Facebook users directly from the service.
A security researcher found a way to link Facebook accounts to as many as 5 million email addresses per day, with the help of a tool named Facebook Email Search v1.0. The unnamed researcher informed Ars Technica of the vulnerability, saying that Facebook had told him it didn’t think the security issues he found were “important” enough to be fixed.
In one test run, the researcher used 65,000 emails. “As you can see from the output log here, I’m getting a significant amount of results from them,” he told Ars. “I’ve spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts.”
The researcher explained that the output file would give him the user ID name and the email address associated with it. He estimated the procedure could be used to extract up to 5 million email addresses per day. The attack can apparently expose emails even when users choose settings to prevent their emails from going public.
Facebook acknowledged the bug in a statement to Ars without confirming whether the company told the researcher that the bug he uncovered wasn’t warranted a fix:
It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.
A similar vulnerability was fixed earlier this year. The email attack he demonstrated “is essentially the exact same vulnerability,” he said. “And for some reason, despite me demonstrating this to Facebook and making them aware of it, um, they have told me directly that they will not be taking action against it.”
It’s unclear whether anyone abused this security issue. But if a security researcher found the bug, a person with malicious intentions could have easily discovered it.
Also troubling is Facebook’s stance over data breaches that do not involve someone actually hacking Facebook’s servers. The 533 million hack falls into that category. Facebook describes it as data scraping. Belgian site DataNews obtained an internal email from Facebook that explained Facebook’s strategy for dealing with these breaches.
Facebook wants to normalize data scraping and insist that it’s a common problem in the industry. The email explains that Facebook is practically waiting for news coverage of the data breach to go down in the short term. “Assuming press volume continues to decline, we’re not planning additional statements on this issue,” the email reads. “Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly.” The email also said that Facebook plans to inform the public via additional posts about the data-scraping attacks and what the company is doing to prevent them.