Facebook faces fresh scrutiny in Southeast Asia, after data from over 15 million users in the region was exposed in a recent leak that could put individuals at risk of identity theft and impersonation attempts, according to local privacy watchdogs.
The data trove, that was uncovered last Saturday by Alon Gal, the co-founder of Israeli cybercrime intelligence firm Hudson Rock, contains information of over 530 million users including profile names, Facebook IDs, locations, occupations, birthdates, phone numbers, and email addresses.
“All 533,000,000 Facebook records were just leaked for free,” said Gal on Twitter. “This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked. I have yet to see Facebook acknowledging this absolute negligence of your data.”
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
Facebook responded in a blogpost three days later, saying that “malicious actors” obtained the data from its platform before September 2019. “As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” read the post.
Malaysia is the most affected country with over 11 million being exposed, followed by Singapore with 3 million, 879,699 users in the Philippines, 213,995 in Brunei, 130,331 in Indonesia, as well as 2,838 people in Cambodia, according to BleepingComputer.
Facebook counts 377 million users in Southeast Asia, 13% of its global audience of 2.8 billion, according to data from Statista. Jean F. Queralt, the founder and CEO of The IO foundation, a digital rights advocate, told KrASIA that people in the region and beyond in general don’t have a strong understanding of the nature of data, which makes them particularly vulnerable when it comes to leaks or breaches. “At social media like Facebook, users basically relinquish their rights to the data,” he said.
While Facebook said that the vulnerability was patched by the company in August 2019, it also emphasized in comments to KrASIA that the leaked data was not gained by hacking but by scraping and that the firm is in talks with regulators.
Governments across the region have been alerted by the incident. Singapore’s Computer Emergency Response Team (SingCert) on Monday warned of possible dangers.
“Threat actors may use the leaked information to conduct phishing and other social engineering attacks. Facebook users should remain vigilant and look out for unsolicited phone calls and messages sent over SMS and instant messaging applications such as WhatsApp,” said SingCert.
The agency added that threat actors may utilize caller ID spoofing technology to impersonate the user and conduct further attacks with malicious links, or try to compromise other accounts of the victim with the obtained personal data.
Regional governments in alert mode
In the Philippines, the National Privacy Commission said that it is still validating the information that 879,699 people have been affected and that it immediately reached out to Facebook’s data privacy officer for more details on the situation.
“As we await more answers, we highly encourage Facebook users to be more cautious online. We reiterate the need for the regular changing of passwords and the activation of two-step authentication of accounts to safeguard personal information,” the watchdog said.
Queralt added that there is an array of ways to prevent impersonations by bad actors, such as password managers, having a different password for each account, and avoiding to answer security questions with facts that can be easily verified.
Although some countries in the region, including Singapore and Malaysia, have a personal data protection law in place, the governments have to make sure that there is a standard mechanism in terms of implementation, he said. “We don’t go around wondering if a seat belt is safe or not, do we?”