Ne’er-do-wells leaked personal information – including phone numbers – for around 553 million Facebook users this week. Facebook says that the data was collected before 2020 when it changed things to prevent such information from being deleted from profiles. In my opinion, this only reinforces the need to remove cell phone numbers from all of your online accounts where possible. In the meantime, if you are a Facebook
product use and want to learn if your data was leaked, there are easy ways to find out.
The HaveIBeenPwned project, which collects and analyzes hundreds of database dumps containing information on billions of leaked accounts, has incorporated the data into its service. Facebook users can enter the mobile number (in international format) associated with their account and see if the digits were exposed in the new data dump (HIBP shows you no data, only gives you a yes / no if your data is displayed).
The phone number associated with my late Facebook account (which I deleted in January 2020) was not in HaveIBeenPwned, but again Facebook claims that it has more than 2.7 billion active monthly users.
It seems that much of this database has kicked around cybercrime in one form or another since last year at least. According to a Twitter post from January 14, 2021 from Under the Breach’s Alon Gal, 533 million Facebook account databases were first put up for sale back in June 2020, offering Facebook profile data from 100 countries, including name, mobile number, gender, occupation , city, country and marital status.
Under The Breach also said back in January that someone had created a Telegram bot that allowed users to query the database for a small fee, and allow people to find the phone numbers associated with a large number of Facebook accounts.
Many people may not consider their cell phone number as private information, but it is a world of misery that the villains, stalkers and creeps can visit your life just by knowing your cell phone number. Sure they can call you and harass you that way, but more likely they will see how many of your other accounts – at major email providers and social networking sites like Facebook, Twitter, Instagram, e.g. – rely on this password reset number.
From there, the target is primed for a SIM swap attack, where thieves trick or bribe employees of mobile phone shops to transfer ownership of the target’s phone number to a mobile device controlled by the attackers. From there, the crooks can reset the password of any account to which the mobile number is linked, and of course capture all one-time tokens sent to that number for multi-factor authentication.
Or the attackers exploit some other privacy and security clutter in the way SMS messages are handled. Last month, a security researcher showed how easy it was to abuse services aimed at helping celebrities manage their social media profiles to intercept SMS messages for any mobile user. That weakness has supposedly been fixed for all the major wireless operators now, but it makes you question the common sense of relying on the Internet equivalent of postcards (SMS) to handle fairly sensitive information.
My advice for a long time has been to remove phone numbers from your online accounts where you can, and avoid choosing SMS or phone calls for other factor or one-time codes. Phone numbers were never designed to be identity documents, but they are effectively what they have become. It’s time we stopped letting everyone treat them that way.
All online accounts you value should be secured with a unique and strong password, as well as the most robust form of multifactor authentication available. Usually this is a mobile app like Authy or Google Authenticator that generates a one-time code. Some sites such as Twitter and Facebook now support even more robust options – such as physical security keys.
Removing your phone number can be even more important for any email account you may have. Sign up with any online service and it will almost certainly require you to provide an email address. In almost all cases, the person in control of that address can reset the password of associated services or accounts – just by requesting a password reset email.
Unfortunately, many email providers still allow users to reset their account passwords by having a link sent via text to the phone number registered for the account. Then remove the phone number as a backup for your email account, and make sure a more robust second factor is selected for all available account recovery options.
Here’s the thing: Most online services require users to provide a cell phone number when they create the account, but do not require the number to remain associated with the account after it is created. I recommend readers to remove the phone numbers from the accounts where possible and take advantage of a mobile app to generate any one-time codes for multifactor authentication.
Why did KrebsOnSecurity delete its Facebook account early last year? Sure, it may have had something to do with the incessant stream of breaches, leaks and privacy betrayals from Facebook over the years. But what really bothered me was the number of people who felt comfortable sharing extraordinarily sensitive information with me on things like Facebook Messenger, while at the same time expecting me to guarantee the privacy and security of that message just by virtue of my presence on the platform.
In case readers want to get in touch for any reason, my email is here krebsonsecurity at gmail dot com, or krebsonsecurity at protonmail.com. I also answer at Krebswickr on the encrypted messaging platform Wickr.