Everyone’s social media platforms are leaking data lately. But why?
It won’t have escaped your notice that a lot of people’s data has suddenly gone missing, appearing on underground hacking forums either for free, or for a price. To many, these databases of millions of people’s data are serious business – they’re dangerous vulnerabilities and the unveiling of information that people trusted major apps and services to keep safe.
The companies behind them profess that they aren’t the victims of a hack, but instead victims of scraping or leaking. That’s why, in some instances, organisations haven’t informed their users proactively. It’s a torrid time to be a social media user online – but what’s happened in each of the high profile social media leaks lately, and what are the risks to users?
When 533 million Facebook users’ names, phone numbers and emails appeared on a hacking forum earlier this month, people were confused. The information appeared to be new, and at first those watching the news develop couldn’t figure out where the masses of data came from. But they knew it was a problem: the data was from users in 106 different countries, including 32 million Americans and 11 million Britons. The company said in a blog post that the data had been scraped from Facebook prior to September 2019, and that Facebook wasn’t the victim of a hack.
"Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this,"Mike Clark, Facebook's director of product management, wrote.
But that’s largely semantics.
The data still was breached without people knowing about it initially, and the existence of it out there in the world means that people are at risk of having their data used to try and launch phishing attacks – as there already appears to be early evidence.
An equally large number of accounts from LinkedIn soon followed. An archive of more than half a billion people’s user data was offered for sale on a hacker forum, taken purportedly from LinkedIn. In order to entice users to pay for the data, which the seller was offering up for at least a four digit sum, the hacker shared two million users’ data already as a tease for people to fork out for the full breach.
Yet LinkedIn were speedy to respond to the allegations that they’d fallen foul of a hacking attack, saying too that they didn’t suffer from a hack. Instead, they said in a statement: “This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”
Rather, LinkedIn says that the data that is out there is an agglomeration of data available on third party websites and through other companies that offer access to LinkedIn information. It is, the firm attests, “an aggregation of data from a number of websites and companies.” Nonetheless, the information leaked includes full names, emails, phone numbers and links to other profiles – enough information for cyber criminals to launch dangerous attacks.
Shortly after came the news that Clubhouse, the trendiest hot new app, had also suffered a similar breach. In this instance, 1.3 million user records that had been, like the Facebook and LinkedIn issues, scraped from the app’s servers rather than “hacked,” were leaked online for free.
“Clubhouse has not been breached or hacked,” the company said in a tweet. “The data referred to is all public profile information from our app, which anyone can access via the app or our API.”
That attempt to downplay the severity of the issue backfired: CyberNews senior information security researcher Mantas Sasnauskas revealed that this actually meant Clubhouse had a major privacy issue.
“The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire,” Sasnauskas says. “Having no anti-scraping measures in place can be seen as a privacy issue.” CyberNews reached out to Clubhouse for a response, but has not yet heard back.