Facebook has been in the news this week over a data breach from 2019 when over half a billion user’s details were stolen from the company.  What are the security implications for businesses today?

In 2019 the Facebook website was scraped to steal the account information for over 500 million users – including combinations of full name, email, phone number, date of birth, address details, gender and occupation.  Facebook patched their software to stop the data harvesting in August 2019.  What has changed in April 2021 is that someone with a copy of the huge trove of user data has now published it for free on the dark web.

It is the inclusion of phone numbers along with personal information, location and occupation details on so many users which could pose a new risk for automated phone-based phishing scams in the months ahead.

Knowing the mobile number of a phishing target also opens the possibility of using a SIM Swapping attack to intercept SMS messages containing authentication codes from multi-factor authentication systems enabling account takeovers.  SIM Swap related fraud has risen sharply in the UK in the last 5 years according to Action Fraud.  SIM Swap fraud can occur when criminals trick mobile telephone companies to issue a PAC code to port a mobile phone number to a new device controlled by the criminals.  The leaking of rich data sets of personal information, like the Facebook data, helps criminals compile the necessary information to pass security questions or trick pandemic-stressed customer service staff to action the SIM swap.

Data breach monitoring site https://haveibeenpwned.com has updated their service to now include the ability to search for phone numbers in order to help people understand if they are more at risk of being targeted by scammers.

You can protect your network and systems from SIM Swap attacks by converting multi-factor systems away from SMS based authentication codes and instead using free authenticator apps such as those from Google and Microsoft.