According to Business Insider, database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. The open database, which has been pulled down, wasn’t protected by a password or any other safeguard for nearly two weeks. In fact, someone has already made the data available for download on a hacker forum.
According to Anurag Kahol, CTO, Bitglass, the Facebook incident shows an inherent vulnerability with social media platforms. He notes: “Social media platforms are lucrative targets for cybercriminals due to the massive amounts of personally identifiable information that they collect and store from users. In fact, the data exposed in this incident was found on a dark web forum, leaving the affected consumers highly vulnerable to targeted phishing and credential stuffing attacks, account hijacking, and more.”
The risks run deep, as Kahol notes: “The lasting impact is unknown and a staggering 59 percent of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This could give cybercriminals access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.”
In terms of lessons to be learnt, Kahol says: “all companies can learn that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.”
