A massive 1.2 billion user record database was scraped from the Meta-owned Facebook by abusing one of the social media platform‘s application programming interfaces (APIs), attackers claim. Meanwhile, Meta did not deny the scrape taking place.
The humongous database was posted on a popular data leak forum, with attackers claiming that the information is not a compilation of old records, but an entirely new dataset. If confirmed, the scrape could be one of the largest to come from Facebook.
Facebook's parent company Meta responded to Cybernews with a short note and a link to a four year old newsroom post titled “How we combat scraping.”
“This is not a new claim. We disclosed this years ago and have taken steps to prevent similar incidents from happening since,” Meta spokesperson said.
Meanwhile, the Cybernews research team investigated a data sample with records on 100,000 unique Facebook user records that attackers included in the post. Based on what‘s in the sample, not the complete dataset, the data appears legitimate.
According to the team, the dataset includes:
- User IDs
- Names
- Email addresses
- Usernames
- Phone numbers
- Locations
- Birthdays
- Genders
While the attackers‘ claims are outstanding, researchers advise being cautious about the validity of the “1.2 billion Facebook user records” claims. For one, the post with supposed records scraped from Facebook is only the second that the attackers ever posted.
“Another attacker’s post also included data supposedly scraped from Facebook, but the batch was much smaller. It could be that they posted one post and then managed to scrape more info to reach 1.2B of records,” researchers said.
If confirmed, the Facebook data scrape would mean the social media platform would mark another instance where user data gets scraped en masse. The team believes this raises some questions about the company’s attitude towards users’ personal data security.
“Repeated incidents show a pattern of reactive rather than proactive security measures, particularly when it comes to protecting data that’s publicly visible but still sensitive. The lack of stronger safeguards and transparency undermines trust and leaves millions potentially exposed to phishing, scam, possibly identity theft, and long-term privacy issues,” the team said.
Threat actors can find multiple uses for a dataset of that size, as it allows cybercriminals to easily automate attacks, unleashing armies of bots targeting each and every user in the dataset with little manual effort. Knowing that email addresses in the dataset belong to Facebook users, malicious actors can target them with one of the numerous Facebook phishing scams.
Threat actors often attempt to exploit APIs for nefarious purposes. Earlier this year, attackers targeted APIs of Shopify, GoDaddy, Wix and OpenAI. Financially motivated actors often attempt to abuse the same technique to get themselves into cryptocurrency wallets.
“Repeated incidents show a pattern of reactive rather than proactive security measures, particularly when it comes to protecting data that’s publicly visible but still sensitive,”
researchers said.
Most popular services couldn't exist without APIs as they serve as a way for different services to communicate with each other. However, attackers find ways to use legitimate APIs for nefarious purposes, such as fetching way more data than the software programs were intended to.
Scraping data from Facebook is nothing unheard of. For example, last year, Meta admitted to scraping public Facebook and Instagram data to train its AI virtual assistant.
Meanwhile, in 2021, another attacker posted information like phone numbers and locations on over 500 million Facebook users. The leak got Meta in trouble as the European Union's top data privacy regulator, the Irish Data Protection Commission (DPC), fined the company €265 million ($266 million).
Updated on May 22nd [06:10 a.m. GMT] with a statement from Meta.
Your email address will not be published. Required fields are markedmarked