An online report published by CNET on September 4, 2019 identified that at least 419 million records of phone numbers tied with Facebook accounts appeared in databases online. The report was based on the revelation by TechCrunch.
The exposure identified 133 million users from US alone and another 18 million and 50 million records from UK and Vietnam respectively. The flaw as highlighted is Lack of Password protection on the server by Facebook. Records were identified with Demographic details also.
Now the big question, does this impact my privacy and security of my data online (read facebook data too)? Answer to this is pretty simple – if your demographic data and phone number is available example – sex, country and phone number (along with Facebook’s Unique User ID) it is pretty much a compromise of your personal information leaving you vulnerable to certain cyber attacks. The data can also be misused to forge your identity with the modern mechanics of hacking.
This certainly is a big mess here by the team at Facebook to have left a critical server without password, the first baseline defense mechanism to check against unauthorized access. Though the very next day or so Facebook reverted with a statement that the data has been scrapped and is no more exposed to the open web. But from the time that server would have been put in place to the time the data was reported to be exposed and the steps by Facebook to scrap the data, do you think that the data would not have been compromised? In all probabilities it would have been.
Though this is not the first time that such exposure or compromise has been reported. We keep on hearing such cases almost every other day. The corporates accumulate our data for their business benefits and then miss out on the aspects of security to be deployed. As per Facebook, this server probably served the purpose of searching a person on Facebook using the Phone Number of that person. My question here is why should the Phone Number search for Facebook user be activated in the first place? That itself is a breach of privacy and compromise of data that has been provided to a service provider as a security feature for secondary authentication.
Facebook may state that they have this feature of find by phone to be controlled by the user and if user doesn’t want to have this feature on, they can restrict it. Based on this aspect, I had a few discussions with a few facebook users and majority of them (close to 65%) didn’t have an idea that they can control this feature of Search by Phone.
So, the question still looms – “Should Corporates be allowed to Introduce Features that may pose Security and Privacy threats to the users?”