Ne-er-wells leaked approximately 553 million personal data (including phone numbers) Facebook User this week. Facebook said the data was collected before 2020, when it was changed to prevent the theft of such information from personal data. In my opinion, this will only increase the need to delete cell phone numbers from all online accounts where feasible. At the same time, if you are Facebook
product The user does not want to know whether your data is leaked, there are easy ways to find it.
The HaveIBeenPwned project has collected and analyzed hundreds of database dumps containing information about billions of leaked accounts, and the project has merged the data into his service. Facebook users can enter the mobile number (in international format) associated with their account and see if these numbers are disclosed in the new data dump (HIBP will not display any data, just provide yes/no to whether you show the data) .
The phone number associated with my late Facebook account (which I deleted in January 2020) was not in HaveIBeenPwned, but then Facebook again claimed to have 2.7 billion monthly active users.
Since at least last summer, much of the content in this database seems to have spread in underground cybercrime in one form or another. According to a Twitter post by Alon Gal of Under Breach on January 14, 2021, the 533 million Facebook account database was first publicly available for sale in June 2020, providing Facebook profile data from 100 countries/regions, including names, Mobile phone number, gender, occupation, city, country and marital status.
Under The Breach also stated in January that someone created a Telegram bot that allows users to query databases at a low price and enables people to find phone numbers linked to a large number of Facebook accounts.
Many people may not think that their cell phone number is private information, but the world is full of pain, bad guys, stalkers and creeps can only access your life by knowing your cell phone number. Of course they will call you and harass you in this way, but they are more likely to see the number of your other accounts-on major email providers and social networking sites like Facebook, Twitter, Instagram, For example-rely on this number for password reset.
From there, the target prepares for the SIM card exchange attack, in which the thief deceives or bribes employees in a mobile phone store to transfer the ownership of the target phone number to a mobile device controlled by the attacker. From there, bad guys can reset the password of any account bound to that mobile phone number, and of course can intercept any one-time tokens sent to that number for multi-factor authentication.
Otherwise, attackers will exploit other privacy and security vulnerabilities in the way they process SMS text messages. Last month, a security researcher showed how easy it is to abuse a service designed to help celebrities manage social media profiles to intercept SMS messages from any mobile user. It is said that all major wireless operators have fixed this weakness, but this does make you question the continuity of relying on the Internet (SMS) such as postcards to safely process quite sensitive information.
For a long time, my advice has been to remove phone numbers from online accounts as much as possible, and avoid choosing SMS or phone as a second factor or one-time code. The phone number was never designed as an identification document, but this has actually become a reality. It’s time we stop letting everyone treat them like this.
All online accounts that you value should be protected with unique and secure passwords and the most reliable form of multi-factor authentication. Usually, this is a mobile application that can generate a one-time code, such as Authy or Google Authenticator. Certain websites such as Twitter and Facebook now support even more powerful options, such as physical security keys.
For any email account you may have, deleting the phone number may be even more important. To register for any service online, you will almost certainly need to provide an email address. In almost all cases, the person in control of the address can reset the password for any related service or account-just by requesting a password reset email.
Unfortunately, many email providers still allow users to reset their account password by sending a text link to the phone number of the account. Therefore, please delete the phone number as a backup for your email account and make sure to select the more reliable second factor for all available account recovery options.
The fact is: Most online services require users to provide a mobile phone number when setting up an account, but they don’t need the number to remain associated with the account after the account is established. I recommend that readers remove their phone numbers from their accounts as much as possible and use the mobile app to generate any one-time codes for multi-factor authentication.
Why did KrebsOnSecurity delete its Facebook account early last year? Of course, this may be related to the violations, leaks, and privacy betrayal that Facebook has continuously seen over the years. But what really bothers me is that many people are willing to share very sensitive information with me on things like Facebook Messenger, and have always hoped that I can rely on my presence on the platform to ensure the privacy and security of this information. . .
If readers want to get in touch with you for any reason, my email here is krebsonsecurity at gmail dot com, Or krebsonsecurity on protonmail.com.I also respond Krebswick On the encrypted messaging platform Wickr.