Now everyone is curious to know if the colleague or the neighbor has ended up in the database of the stolen data from Facebook. Following the initiative of two young Italians, it became possible to type a mobile number in a search form and relate it to the owner’s name and surname. But this cannot be done. The Authority for the protection of personal data has just adopted a warning to all those who offer the search service of data stolen from Facebook and reminded them that “any other illegal use of this data is prohibited, such as telemarketing and political ‘stalking’ “. Although the two young people wrote on Twitter that they had “masked” the phone numbers used to do the search.
The project is called HaveIBeenFacebooked? and mimics the best known HaveIbeenPwned? of Troy Hunt, which in the jargon of online video games indicates a defeat (in this case due to the compromise of their personal data). The initiative, which immediately appeared questionable, could however seem very useful to Facebook users given that in the stolen database of 533 million records on which it goes to fish there should be over 30 million relating to Italian users, almost all of those who are are registered on the platform and have completed their personal data with a mobile number to be used both for access and for the recovery of credentials in case of loss.
Knowing if your phone is there along with other personal data could be useful in deciding whether to raise the alert level in the face of spite, scam attempts, stalking actions using a telephone number to take the place of a user of whose name, surname and telephone are known, the greatest danger. This is the case of “SIM swapping”, an attack technique that allows you to have access to the phone number of the rightful owner and violate certain types of online services that use the phone number as an authentication system such as Republic he had already written.
You can search through the stolen data from Facebook. But the Guarantor orders the stop
by Arthur of Corinth
The idea of the two Italians, Fumaz and Marco Aceti, however, it is neither unique nor new. There are in fact other initiatives similar to HaveIBeenFacebooked?, and especially that of the British of HaveIbeenZucked? which, however, also allows searching on name, surname and email. But the data searchable in the two different platforms are not the same. And there is still a high risk that by looking for them on these services, they offer sensitive data to strangers.
And in fact, the intervention of the Italian Privacy Guarantor was not long in coming. In the coming days the college chaired by the professor Pasquale Stanzione will ask Facebook to launch a support service to help users check if they have been affected by the breach of their personal data.
How the search engine works
By entering a number that is not present in the search form of the Italian site, the system goes wrong and leaves you waiting for an answer that does not arrive. But if you are “inside” the system also returns the initials of the name and surname and then a warning appears: “Your Facebook profile has been hacked. Your phone number was found among those stolen in the violation. Connected to your number. by telephone, we have identified the following personal data “. Reading below comes the advice: “This data breach could also be used for stalking and personal harassment purposes. If you feel you are at risk, consider changing your phone number.”
But before the intervention of the Guarantor, the lawyer Enrico Ferraris, privacy expert had told us: “Without wishing to question the good faith of the developers, it seems to me that they have not paid the right attention to the implications of the site in terms of personal data protection. It is not clear how the data is treated (the telephone numbers) entered by the user, on what basis, for what purpose, where they are stored and for how long, since there is no privacy policy. As regards the data with which the comparison is made (ie those present in the leaked compilation ), the fact that they have been unlawfully made public does not legitimize a treatment, which must in any case be based on one of the legal bases provided for by the European law on privacy, the GDPR “.
The database, previously paid, becomes free in April
We don’t know if HaveIBeenFacebooked? fish in the same database which is now circulating for free on various forums. In fact, like Republic said two months ago, the overall dump (as they call it in jargon the copy of the data stacked in the database) which first was 370 million records and then 533, would now have reached the size monster of 686 million records. The other novelty is that the database was made available for free for a few hours and no longer for a fee, on the same site that had initially published the compilation of profiles.
At the beginning of the year each record could be bought for about $ 20 but in private mode, even using a chatbot to bargain the “goods”: in short, you could buy the single Facebook profile of your wife, lover, friend, of your boss, with a lot of name, surname, work activity, geographic location, and membership in Facebook groups.
What can happen now
The trouble is that the database, with different sizes, has been published on many online platforms. And from now on, anyone can do it, not just cybercriminals who typically sell stolen data to make a profit. In the past, giving away stolen data was used to increase the reputation of the individual retailer when the information had already been exploited for phishing actions, to strengthen collaboration ties, but also to mislead the police, polluting the traces that could allow to trace to the first authors of exfiltration. Yes, because, as the lawyer Enrico Ferraris noted, it is not a real databreach, but a collection (harvesting) of data that has exploited an unexpected function of the Facebook software. And who has repeatedly stated that he has already solved the problem already in 2019.
The responsibility of Facebook
Therefore, as Ferraris explains: “From the point of view of privacy by design it would be interesting to understand if the security measures implemented by Facebook to avoid massive indexing of data by enumerating mobile numbers were adequate”. All this still does not explain why we went from 533 million records to 686. We can hypothesize that a stolen database once it finds its way into the black market for data, can be reduced or expanded to give the idea that it is new and different and continue to resell or exchange it.
But the stolen data is not in the DarkWeb
The fact remains that all these stolen databases are like apples on a tree – just waiting to be picked. The “hacker” forum where the database stolen from Facebook was initially announced and put up for sale is not in the DarkWeb as you might think, but inside a normal site hosted in the ClearWeb, or the free web, and can be searched with words key entered in a common search engine, from Google to Qwant.
In short, the problem is old, it has not been solved and from now on it will be necessary to pay attention to what and how many other data will be associated with the over 30 million profiles. As the Guarantor says in his press release, “The Authority also calls all users affected by the violation to the need to pay particular attention in the coming weeks to any anomalies connected to their telephone users: such as, for example, the sudden absence of a field in places where the mobile phone normally has good reception. Such an event could be the signal that a criminal has stolen our phone number to use it for fraudulent purposes “.
.