A hack of 533,000,000 global Facebook users that went up for sale on messaging app Telegram in January has now spiraled out of control.
Over the weekend, security researcher Alon Gal tweeted out that every single one of those half-billion Facebook records were just leaked for free. “This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” Gal wrote.
Telephone numbers were just the top layer of what was stolen. Gal detailed that a person’s Facebook ID, full name, location, past location, birthdate, email address, account creation date, relationship status, and bio were also possibly purloined. Users from 106 countries are affected, including 32 million people in the U.S.
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” Gal said.
As of mid-morning on Monday, neither Facebook CEO Mark Zuckerberg, Facebook Security, or Facebook’s Privacy blog had acknowledged the issue.
Brace yourself for more
When ConsumerAffairs reached out for comment from Daniel Markuson, a digital privacy expert at NordVPN, he said that people should buckle up for a large wave of personalized phishing or social engineering attacks. In a hacker’s way of thinking, why not? There’s no monetary risk since the personal data was free. “It means that anyone with shady intentions was able to get their hands on it,” Markuson said.
“This leak raises huge concerns, especially now. Cybercriminals exploit fears or feed on the need for urgency. We have already seen a surge in pandemic-related cybercrimes, and this trend continues. Now, as countries all over the world are starting to roll out vaccination programs, there is another opportunity for cybercriminals.”
Markuson said that vaccine-related searches in the U.S. have grown by 1,900 percent since January. This shows that Americans are becoming increasingly anxious to get their COVID-19 vaccine and might be an easy target for hackers.
Protecting yourself against a phishing email or malicious message isn’t complicated, but it does take some vigilance. When ConsumerAffairs asked Markuson what advice he would give to unsuspecting people, he gave us six things to watch out for.
Check the sender’s email address or telephone number. Don’t just trust the display name – pay attention to the email address, telephone number, and other sender credentials,” he said.
Look for spelling mistakes, grammar mistakes, and design issues. Serious companies and institutions don’t usually send out emails with bad grammar; email design is usually lean and precise.
Don’t click on links or download attachments. If that’s an email - hover your mouse over the link to see the destination link. Check if it looks legitimate and, especially, if it contains the “https” part to indicate a secure connection. For other types of messages, it’s generally safer to search for the website yourself.
Consider context. Were you expecting such an email or message? If not, it is probably suspicious, especially if the offer seems too good to be true.
Contact the company yourself. When in doubt, contact the company or institution over the phone or by using an alternative email address to confirm if the email is legitimate.
Report the incident to the authorities. If you notice something unusual, raising the alarm can help not only you, but others affected by the leak as well.
“Everyone can become a victim of phishing scams,” Markuson said. “Although some of them are pretty obvious, others can be challenging to spot. As a prevention measure, use cyber security software such as VPNs, antiviruses, spam filters, and firewalls.”
ConsumerAffairs has a guide on data protection. It covers rates, reviews, and other information about companies that offer data protection services. It’s available here.
It should be noted that Facebook Security extended support for mobile security keys for Facebook iOS/ Android users on March 18. The team suggested that users employ security keys to help ensure that passwords aren’t the last line of defense between an attacker and a user’s account.