Over the past week, you've likely seen reports of new data hacks on Facebook and LinkedIn, which have exposed the personal information of millions of users.
To clarify each case:
- On Saturday, Business Insider published a report which indicated that personal information from more than 530 million Facebook users had been made publicly available in an unsecured database
- On Wednedsay, Cyber News reported that personal data scraped from 500 million LinkedIn users was being made available for sale various hacking forums
Both Facebook and LinkedIn have acknowledged the respective cases, but both have also played down the significance of each, noting that it was either publicly available, or information obtained via previously reported data breaches.
So what's the real story?
In the case of Facebook, it's a little confusing - on Tuesday, the company posted an explainer which basically dismissed the case as old news, saying that:
"We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists. When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer."
So, nothing to see here, everything's all good, this was an already reported breach. Right?
Well, not exactly. According to an in-depth investigation by Wired, this specific data breach hadn't been fully disclosed in the past, though it is using old data.
The process the scrapers used, as Facebook notes, was based on the 'Find my Friends' feature, which used your phone contacts to connect you to people you know in the app when starting a new account. Hackers found that they could load basically every phone number in existence into their address book and Facebook's system would simply assume these were friends, then provide them with access to their personal info. They then used this to scrape the data, which is what's now being made available.
According to Wired, Facebook's not taking direct responsibility for the full extent of this breach, and actually can't track the full extent of such, because it wasn't data in their system that was used to exploit the vulnerability.
"Facebook argues that it did not expose the phone numbers itself. “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” [Facebook] wrote Tuesday. The company aims to draw a distinction between exploiting a weakness in a legitimate feature for mass scraping and finding a flaw in its systems to grab data from its backend."
So the available data may well be beyond what Facebook has reported previously, but it doesn't know, because it can't say how many times this vulnerability was exploited before it was corrected. Hackers may also have mashed this data set in with other publicly available records to expand on the exposed data - you can check if your personal data was exposed at this site.
So there is a new issue within this specific data set, but Facebook has also corrected the flaw in its systems.
In LinkedIn's case, LinkedIn says that the available dataset includes 'publicly viewable' information which had been scraped from the platform.
LinkedIn has published this statement:
"We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review."
According to Cyber News, the full leaked archive contains full names, email addresses, phone numbers, and more, aligned with information that's been gleaned from the profiles of more than 500 million LinkedIn members. Which, given the platform only has 740 million members in total, is a huge chunk of its user base. The hackers have posted a 2 million entity subset to prove the hack is legit, and are selling the rest.
Considering that LinkedIn only makes contact information available to your first-degree connections on the platform (or members who you’ve sent a connection request to), it's unclear exactly if or how the hackers might have gained access to all of this data, or how accurate and up to date it might be, but again LinkedIn has said that it appears that the hackers have combined the scraped LinkedIn profile info "with data from a number of websites or companies".
So as with Facebook, LinkedIn's playing down its direct culpability at this point, and it's not entirely clear exactly how the dataset has been formulated. You can check if your LinkedIn information has been exposed here.
It does seem, however, that these are new datasets, and are significant data breaches, even if the information is not recent. As such, the best advice is to update your passwords, and enable two-factor authentication where possible. There's not a lot you can do about your past information being leaked, but you can update your own security in an effort to negate similar in future.
The two cases will also further stoke concerns about the misuse of user data held by social media platforms. That's been a major point of contention of late in relation to Apple's coming IDFA update, which will enable users to opt-out of data tracking in every iOS app. Breaches like this will only strengthen the case for limiting such, which could be a flow-on impact for Facebook and LinkedIn specifically.
The cases could also spark a stronger push for regulation, and could see more penalties handed down to the companies. We're still waiting to get a full scope of the breaches, but overall, they don't help to build assurance that social platforms can be trusted with such insights.