Ring Ring! It's One of Facebook's 533 Million Users Who Had Their Phone Number Stolen

Motherboard reports over 500 million Facebook users were targeted by a bot attack. Creepy as it is, the automated bot was able to make public the phone numbers of millions of Facebook account holders. Getting access to the data was easy since all it took is internet access and some startup cash. Simply pay a price to the hackers, and then use Telegram to siphon the purchased phone numbers. It’s one of the latest security vulnerabilities the embattled social media platform continues to face. It’s also a case of data theft whose applications are many, including the ability to circumvent two-factor authentication (2FA) on user accounts. Doing so can result in identity and financial fraud as well as other harmful attacks.

Money means access with this attack. Based on purchased credits (one credit for $20 and $5,000 for 10,000 credits) the bot claims the phone numbers of 533 million Facebook users from the U.S., the UK, Canada, Australia, and fifteen other countries that were for sale.

Facebook claims the stolen data is from a vulnerability it fixed over a year ago. Although the phone numbers may be close to two years old, the vast majority of them could still be in use, and therein lies another problem. It’s bad enough the stolen numbers can be used for vishing (voice) and smishing (text) and socially engineered attacks, but messing with identity verification can give abusers a direct line to more fruitful crimes. Using 2FA has been, and still is, a dependable way for users to add a layer of verification to any number of accounts during login, especially to those more valuable financially related sites. However, most people don’t change phone numbers that often, giving the cybercriminals that stole them in this Facebook attack access to your 2FA codes.

When possible, use a form of 2FA that isn’t a text sent to your phone number. Sometimes this may be using a randomly generated number off a FOB. It could be answering challenge questions. Other ways including using a random key generator app on your mobile device or using another option that is gaining traction; a hardware “key” that is plugged into your computer to verify identity. If none of these options are available, by all means take advantage of the text code. Something is most certainly better than nothing.

Going forward, the success of this bot shows how easily even the most unsophisticated hacker with a bot can steal data and sell or use it for highly effective cyberattacks. And perhaps most irritating for users, it could also mean more telemarketing phone calls are on their way. Be warned and be ready!

Stickley on Security