“We found and fixed this issue in August 2019,” Facebook spokesperson Andy Stone told CNN Saturday.
However, for many users, information they had on their Facebook profile in 2019, such as phone numbers and birthdays, likely hasn’t changed in the past two years. And that means the data could still be useful to hackers or other bad actors.
“Although this was due to an old breach [and] this is old information, now it’s out there in the public domain,” said Jeff Dennis, partner and head of the privacy and data security practice at law firm Newmeyer Dillion. “Anyone who has basic search skills can now go find that database and exploit it, which was not the case when the data was originally taken.”
Here’s what users should know about how the leaked data could be used, and how to protect themselves.
How could bad actors use the data?
The news of the leak is definitely not good. But it’s also not necessarily a reason to panic.
The truth is that data breaches have, unfortunately, become fairly common for a wide range of online services. So, unless you hardly ever use the internet or mobile apps, it’s likely that much of your personal information is already out there where bad actors could find it.
The types of information exposed in the recent Facebook leak are also not the most useful to hackers, unlike data such as credit card information or social security numbers.
Still, there are a number of ways that bad actors could exploit the leaked information.
“It’s actually very easy to search through this data … in a few seconds, you can easily find anybody’s information that you are looking for,” Thakur said, though in a cache of 533 million records, if someone has a common name, finding their information could become more difficult.
Although the Facebook breach won’t necessarily lead to an increase in the volume of phishing attempts, the fact that so many different types of information on each single user is available as a result of this hack it could make them appear more credible, and thus more successful.
“It would be very hard, as a user, to see through some sort of phishing campaign when they’re using information that you thought was very private to you, such as information that would be found on Facebook in your bio section,” Dennis said. “Particularly, when you combine it with location information, you can see how bad guys would start to use this information in a very sinister but effective way.”
How to protect yourself
The breach is a reminder that no information users share with online services can ever be absolutely guaranteed to be secure and private.
“As good as our defenses are, the bad guys are continuing to evolve faster than we can protect ourselves and faster than companies can protect the information, so you just need to be aware,” Dennis said. “I wouldn’t put anything on Facebook that you wouldn’t want put in a public database somewhere down the line.”
Affected users, and anyone whose information could have been exposed, should keep their eyes peeled for potential scams or phishing attempts.
A good rule of thumb, according to Thakur: “Only give out your information when you are the one initiating the conversation. If somebody asks you for your social security, your password, your credit card number, even your name, there is no need for you to put it in anywhere … unless you’re the one initiating the conversation or the transaction.”
In other words, if you get a phone call or email from someone purporting to be from your bank, or your doctor’s office, or a company you recently shopped at asking for sensitive information, do not hand it over. Hang up. Then find a trusted phone number for that place — from the back of your credit card, the doctor’s website, or the official email receipt you received from the company — and give them a call to determine if the request was legitimate.