Posts

  • Facebook and LinkedIn recently suffered data incidents that led to personal information like full names, emails and phone numbers being posted in identity marketplaces where cybercriminals buy and sell data.
  • While some have called the recent data leaks “data breaches,” technically and legally, they are not in the U.S. Rather, it is a legitimate and legal technique called “scraping.”
  • Even though these events are not data breaches, the Identity Theft Resource Center (ITRC) is creating an additional category of identity data compromises called “data leaks” to keep track of and report these kinds of events.
  • The Facebook and LinkedIn data leaks serve as good reminders to never post information online that you wouldn’t want people you don’t know or trust to see.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Data Breaches, Exposures, and Leaks! Oh, My!

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 23, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. In the movie version of The Wizard of Oz, Dorothy Gale of Kansas, along with the Scarecrow and Tin Man, are following the Yellow Brick Road through a dark and scary forest on their way to the Emerald City. They fear that wild animals are present as they chant “Lions…and Tigers…and Bears! Oh, my!” just before they meet the Cowardly Lion. Apply that principle to data security, and you get the title of today’s episode – “Data Breaches, Exposures, and Leaks! Oh, My!

Facebook and LinkedIn’s Recent Data Leaks

People may have seen media coverage about the recent data leaks at Facebook and LinkedIn. Personal information like full names, emails and phone numbers posted to user profiles were found in the identity marketplaces where cybercriminals buy and sell data.

In the case of Facebook, which would be the third-largest country in the world behind China and India if it were a Nation/State, the information on some half-a-billion people was exposed. Approximately 30 million live in the U.S. An even larger number of LinkedIn users were impacted by a similar event. To date, 837 million profiles have been exposed.

Facebook and LinkedIn Events Not Considered Data Breaches

These two recent data leaks have created quite the controversy in data privacy and security circles. People may have noticed that the ITRC has not referred to these events as data breaches. It’s because they technically and legally are not, at least under U.S. law. European Data Protection authorities have launched an investigation into both companies for potential violations of privacy laws. However, in the U.S., it’s a lot more complicated.

If you are a Facebook or LinkedIn user, you voluntarily provide the information posted to those and other social media websites. The companies try to limit the ability to copy user’s data. However, depending on how you configure your privacy settings, that information is, in fact, available for viewing by anyone. And if it can be seen, it can be misused.

Facebook and LinkedIn Suffered “Scraping”

There is a legitimate technique known as “scraping,” where companies copy large amounts of information that otherwise would require manual entry into a database. It is perfectly legal and typically involves getting permission and being transparent about how the data is used.

There are still some grey areas when it comes to private information being posted publicly on websites. In fact, there is a case pending before the U.S. Supreme Court directly on this question of copying information from LinkedIn. Lower courts have said publicly posted information is fair game for scraping even if LinkedIn’s terms and conditions say it is not.

Facebook and LinkedIn Events Fall Between the Cracks of Current Laws

What makes the recent data leaks at Facebook and LinkedIn so troubling is that they fall between the cracks of existing laws. If a criminal gained access to a company’s customer records that included names, addresses, phone numbers and email addresses, that would be a crime and considered a data breach.

Copying the same information posted voluntarily and publicly is not considered illegal today. Also, the current laws did not envision the ability to copy millions of unrelated records and combine them into a single database that could be used to commit identity fraud.

The ITRC to Create “Data Leak” Category of Identity Data Compromises

Even though these recent data leaks are not data breaches, the ITRC is creating an additional category of identity data compromises to keep track of and report these kinds of events. We’re going to call this new category “data leaks.”

It is also a good time to issue a reminder. Be careful what you post online. If you don’t want people you don’t know or trust to see your private information, don’t post it online.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach – like the recent data leaks – and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

 Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • The data of 533 million Facebook users has been published on a low-level hacker forum.
  • The information is believed to have been copied in 2019 or earlier from Facebook user pages and includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.
  • The leaked data could help cybercriminals commit different forms of phishing attacks and other social engineering-based identity scams.
  • LinkedIn also recently suffered a similar attack, affecting over 500 million users and exposing user IDs, names, email addresses, phone numbers, professional titles and other work-related data.
  • The LinkedIn and Facebook data leaks are a great reminder to be careful what you share online. Users willingly posted all of the information copied from LinkedIn and Facebook into cybercriminal markets. If you don’t want to see the data in a hacker forum, don’t post it online.
  • To learn more, or if you believe you a victim of identity theft, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

A recent Facebook data leak resulted in the personal data of more than 500 million users being copied (an often-legal process known as scraping) and later posted on a hacker forum. A similar attack happened with LinkedIn, leaving users to wonder what they could have done to prevent their personal information from being copied by data thieves. While the data was scraped from Facebook in 2019 because of a software flaw that the company says was patched the same year, the incident serves as a good reminder to be careful what you share online.

What Happened

According to Business Insider, a user in a low-level hacking forum scraped the phone numbers and personal data of 533 million Facebook users in 109 different countries – enough people to qualify as the third largest nation on Earth. The data file, published in a forum where identity information is bought and sold, includes more than 32 million records on users in the U.S. Information exposed in the Facebook data leak includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.

What Does This Mean for You?

The scraped data from the LinkedIn and Facebook data leaks could help cybercriminals commit different forms of identity fraud, including phishing attacks and scams that require social engineering to convince you to give up even more personal information. Users should be on the lookout for phishing schemes or fraud using their own data.

Be Careful What You Share Online

While there is not a lot that Facebook and LinkedIn users can do to protect themselves from the latest incidents now, it is a great reminder to be careful what you share online to help prevent future identity fraud. The data thief did not gain access to the systems and steal private data. Instead, they copied (or scraped) information that people willingly posted on their own profiles and combined the information in a database that can be bought, sold or shared in criminal marketplaces.

If you post enough information about yourself online, hackers can connect the dots about your life, relatives and friends to commit identity fraud by pretending to be you. Be careful what you share online, including what you write in your posts and include in your profile. Also, check your privacy settings to ensure you are not sharing personal information with people you do not know or trust. A good rule of thumb is, “If you don’t want to see the data in a hacker forum, don’t post it online.”

Contact the ITRC

If you believe you were the victim of the latest Facebook data leak and want steps on how to protect yourself, or if you want to learn more about how to be careful what you share online, contact us. You can reach a contact advisor toll-free by phone (888.400.5530) or live-chat. You can find the latest resources on an array of identity-related topics. Just visit www.idtheftcenter.org to get started.