533 million Facebook users' personal data have been leaked

By Varun Om | April 4, 2021 | in Security Incident

2 minute read

Personal data of hundreds of millions of Facebook users was published on Saturday in a low-level cybercriminal forum for anyone to access.

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and - in some cases - email addresses.

The data was likely scraped due to a vulnerability in Facebook public search feature reported in 2019, and the hacker was spotted selling the data in January 2021, which has now been made public.

Measures to protect your web application from such scraping

Do not reveal sensitive personal information like phone numbers/email addresses in unprotected (public) endpoints.
- Use outgoing data filters to automatically detect and remove/deny responses that contain such information.
‘Lookup people you know’ feature shouldn’t allow looking up by sensitive data like full phone numbers and email addresses; you can ask user to enter only last four digits for example, along with name to show search result. This way the hacker cannot guess the whole phone number, while the ethical user would still find the person she’s looking for.
Even for authenticated members, the results of the lookup or people profile pages shouldn’t reveal the sensitive data like phone numbers/email addresses, unless the person in question has herself made such information public.

Religiously follow the Zero Trust security principle, for not just incoming requests, but also for the outgoing data especially when your application has some sort of a social feature.

Build Zero Trust thinking for software development

Because Zero Trust is not just an approach; it’s a mindset.

You can also develop this mindset by going through the hands-on tutorials from the Zero Trust Thinking (ZTT) series. ZTT is brought to you by ASPSecurityKit, the first true security framework for ASP.NET and ServiceStack built from scratch on the Zero Trust model.

Leave your email below to receive a notification of new ZTT articles and videos right in your inbox, once every two weeks or so.

← Previous

Need help?

Looking for an expert team to build a reliable and secure software product? Or, seeking expert security guidance, security review of your source code or penetration testing of your application, or part-time/full-time assistance in implementation of the complete web application and/or its security subsystem?

Just send an email to [email protected] with the details or call us on +918886333058.

Related tags

Breach , Scraping , Authentication , Zero Trust , Social

Recent blog posts

7 tenets of NIST's Zero Trust Architecture (ZTA)

Your private Git repository might have been exposed by Azure App Service

Learn about defending your website against Cross-Site Scripting (XSS) input injection by examples in ASP.NET - the Zero Trust Thinking series