Understanding the Value of Privacy Via the Facebook Data Leak
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
― Benjamin Franklin
If a researcher conducted a survey asking people how important personal privacy is to them, the vast majority of respondents would reply “very important,” even though those same respondents would probably engage with social media platforms such as Facebook, Instagram, or Twitter within minutes of answering the survey.
This is the problem with the word “privacy” — a very subjective concept among us as different people look into the same problem from a different angle. Digital privacy presents a new angle. These days, we are forced to weigh either privacy or convenience and usefulness.
Social media platforms exacerbated the problem by lowering our guards on giving up part of our identity globally. Some individuals have no concern about the general public knowing intimate aspects of their lives, posting every vacation, meal, and life event to an overabundance of social media followers.
These people value digital engagement and social interaction much more precious than they value the privacy of their personal information, and for this, they are at risk of irreversible damage.
I did not pay too much attention to the leak until I saw the Facebook spokesperson’s tweet. She told Business Insider that the data was scrapped due to a vulnerability that the company patched in 2019. That means the problem is fixed, in her perspective.
I do not know much about Liz, so I would not comment on her tweet, but if she thinks a data leak is a matter that can be fixed afterward, like filling the hole on the ground, then she is missing the largest piece of the puzzle.
The Origin of the Leak
A user of a low-level hacking forum posted the records of hundreds of millions of Facebook users for free online on 3rd April 2021. This is no surprise for many of us; still, it is concerning, and some of the insight may worth mentioning not just to my friend but everyone who cherishes privacy.
According to Business Insider, the data exposed involves over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million users in India. More alarming is that the records hold the following information:
- phone numbers
- Facebook IDs
- full names
- locations
- birthdates
- bios
- email addresses
According to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who first discovered the leaked data in January when a user in the same hacking forum advertised an automated Telegram bot that could give phone numbers to users in exchange for money.
The Telegram bot lets users enter either a phone number to obtain their Facebook ID or visa versa. The bot's initial results are redacted, but users can buy credits to reveal the full phone number.
Facebook said the data contained Facebook IDs created before Facebook’s fix of the contact vulnerability. Facebook also tested the bot itself against newer data and that the bot did not return any results.
Three Instant Actions to Limit Your Loss
If you are having a hard time finding the database online and check if you are on the list, it is a waste of time. The first thing you want to do is to assume your data is exposed. What is exposed is not recoverable on your side, as you never know who gained access to your data.
1# Check if You Are Over-Exposed
I often use the term “digital social distancing” to illustrate the concept of Least Privilege. Like what you are doing physically when going to the public, try keeping a distance between you and other people is the best way to avoid infection.
After you know that what is leaked, you may want to limit the exposure of yourself online from now on, check on all your social media platforms and instant message applications for personal information published.
If you think it is what you want people to know, then leave it as it be. But if you are scared something like what Facebook did this time would happen again (and it would probably will), try giving up your information on a “Need-To-Know” basis.
2# A Strong Password
Personal data could be used as something to identify who you are. If it was in the wrong hands, they could disguise you and claim what you have on your behalf without knowing it.
Protecting your identity would require stronger authentication. I strongly recommend adding a layer of security by enabling Two-Factor Authentication for your accounts.
If you think that would be too difficult to start, start with changing your password. I wrote about this earlier this year and hoped you would find it useful in the wake of this kind of hacks.
Firefox offers free services to safeguard users' privacy. FOr example, we can use Firefox Monitor to keep tracking if our email accounts are exposed to breaches. (If that is the case, you may consider using another email to avoid spam or targeted email attacks.)
But the most recent innovative solution to prevent email exposure in the first place is interesting. It is called “Firefox Relay.”
Firefox Relay makes it easy to create aliases, randomly generated email addresses that forward to your real inbox. Use it to protect your online accounts — and your identity — from hackers.
In short, it is an easy-to-use tool to give a random email address to sign-up online. Firefox Relay would act as a middle man to pass along the messages from the random email accounts to your true email address. By that, if the sign-up website is hacked or it was originally a phishing website, your email is safe, at least.
The Three “What” During Data Sharing
When deciding on sharing personal information, there are three “What” you should consider:
1# What Personal Information Is the Company Asking For?
Some websites may only ask for basic information such as a zipcode or an email address. Still, others may ask for a phone number, home address, or personal ID number. As mentioned, if this information was stolen, you lose it forever.
2# What the Company Does With the Personal Data It Collects?
What kind of personal data is being recorded, stored, and especially shared with third parties. Many organizations frequently send customers’ data to third parties or use it to conduct targeted marketing and advertising campaigns. Take a look at the user agreement of Facebook as a reminder.
3# What is the Level of Comfort in Sharing Your Data?
There is always a risk that organizations could become victims of cyberattacks. To determine how risky associating with certain circumstances can be, please make sure to:
- Read the organization’s terms and conditions and privacy policy statements. Look for the section that can answer the two “What” above. No need to read it thoroughly, but do not click “agree” immediately.
- Learn about your privacy rights as defined by GDPR, CCPA, and other data/ privacy regulations. Knowing your rights does not immediately make your data safer but could tell you when and how to find the organization accountable after an incident.
Final Words — The Value of Privacy
Different from our physical world, we may not be aware that data is being stolen. When digital data is “stolen,” in fact, the data is still there. All “0” and “1” can duplicate infinitely without an error. Putting this into our personal data, hackers could use the perfect copies for impersonations or phishing.
A phishing message possibly related to the Facebook leaks | Copyright by the author
One example is the message I got yesterday from a friend saying that he send me the SMS by error. But the truth is his phone number was exposed and hijacked to use as a pawn for further hacks. If I replied the SMS code to the spammer, then he/ she could gain access to my WhatsApp and send messages to my contacts.
Personal data, in a sense, is part of who you are. Although the exposed data is from 2019, it is definitely a great risk to most of us. Unlike a password, which could be changed if it was stolen, you would not change your full name if you find your data is exposed (right?).
If your biometric data, such as registered fingerprint, was stolen, then you cannot use it as your identity anymore. Why is that? Because you cannot use it to prove it is truly you if someone else also has the same attributes. That is also the reason why biometric data are mostly stored locally to prevent massive leaking.
As a result, once the personal information is exposed, you lose them forever. There is no way to take it back, and the best you can do is to use another finger for authentication and revoke the enrollment for the previous one. Keep this in mind, so you really understand the value of privacy is unique.
People think only criminals need to hide. Sadly, they do not know Privacy is our right. We do nothing wrong when we go to the bathroom or have sex. Still, we keep it private. We keep our private journals, sing in the shower, and keep secrets to ourselves as we know that privacy is a basic human need.
So hey Facebook, rather than saying you fixed the problem for us already, with the power and scale of Facebook, why don’t you take a more proactive step to help users to know what is lost and what needs to be changed?
Lastly, for those who want to check if you are exposed. Try it out at HIBP and Firefox Monitor:
Thank you for reading. May InfoSec be with you🖖.