Facebook is downplaying the significance of a data breach that saw the personal information of 533 million of its users accessed online, saying the information is old and the vulnerability that was exploited was closed almost two years ago.
Information included names, phone numbers, locations, birth dates, email addresses and other identifying details. No financial or payment information was accessed, Facebook said.
In a statement on its website Tuesday the social media giant said the information was gathered via a vulnerability the company fixed almost two years ago, and disputed that it was a hack.
Data scraped, not hacked: Facebook
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” said product management director Mike Clark.
Scraping refers to the act of gathering information that is already out there but somewhat hidden on public databases.
The company said whoever collected and assembled the data did so by abusing the contact importing service, which allows users to find other people in their network on Facebook.
Facebook said whoever did it seems to have uploaded a large set of phone numbers to see which ones matched Facebook users.
David Masson, director of enterprise security at cybersecurity firm Darktrace, says the information has likely been out there and spread widely for a while, before being outed recently.
“It’s been on the Web for quite a while, probably for sale to people,” he said. “But now somebody’s just offered it up for free.”
Building a profile
Greg Wolfond, CEO of data security firm SecureKey, said that in a vacuum, much of the information taken can seem innocuous and harmless, but when taken together can be very dangerous.
“What the hackers do is they try and get little bits of data about you in this case something like your phone number,” he told CBC News in an interview. They can then combine that with other bits of information — an address, a full name — and start building a profile.
What’s most dangerous is once they have gathered enough to attempt to gain access to a cellphone account. With the right combination of information, a telecom company may allow someone walking in to port the account number to a new phone.
Cybersecurity expert David Masson with Darktrace says Facebook users shouldn’t assume the company’s size and scope make them better at fending off attacks. (Darktrace)
“They take over your phone, and within minutes of taking over your phone, they’re trying to get into your bank account, to get into your Facebook account, your Google account, whatever you use that phone as your recovery for,” he said.
Typically, consumers are urged to fight data theft by doing things like changing passwords frequently, and making the complex. But those things are of little use when companies claim the right to reams of data about their users, and promise to keep it safe.
“Empowering individuals to share their data and putting a responsibility on parties that have the data to keep it secure,
is super important,” he said.
Not Facebook’s first user-info incident
Although the company is downplayed in the incident, it is far from the company’s first misstep with user info.
In 2018, the social media giant disabled a feature that allowed users to search for one another via phone number following revelations that the political firm Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or consent.
In December 2019, a Ukrainian security researcher reported finding a database with the names, phone numbers and unique user IDs of more than 267 million Facebook users — nearly all U.S.-based — on the open internet.
Spark15:32Digital security expert shares tips on how to protect your data while working remotely
During the COVID-19 pandemic, we are spending more of our time at home online than ever before – and according to Citizen Lab’s John Scott-Railton, this makes us vulnerable to privacy and security threats. 15:32
Facebook says it will “continue aggressively go after malicious actors who misuse our tools,” and touted its dedicated team focused on this work” but Masson says users shouldn’t make the mistake of assuming that the company’s size and scope somehow make them better equipped to keep user data safe.
“It doesn’t matter how big or sophisticated you are, they can be attacked,” he said.
Like many breaches, this one was only discovered long after the fact, and that’s because the technology company’s use isn’t keeping up with the ones the hackers are using.
“There are better technologies that actually work on what happens once the bad guys get inside your network rather than when they’re banging on the door outside. So people [have] got to realize this will happen again.
TORONTO – Restaurant Brands International Inc. reported net income of US$357 million for its third quarter, down from US$364 million in the same quarter last year.
The company, which keeps its books in U.S. dollars, says its profit amounted to 79 cents US per diluted share for the quarter ended Sept. 30 compared with 79 cents US per diluted share a year earlier.
Revenue for the parent company of Tim Hortons, Burger King, Popeyes and Firehouse Subs, totalled US$2.29 billion, up from US$1.84 billion in the same quarter last year.
Consolidated comparable sales were up 0.3 per cent.
On an adjusted basis, Restaurant Brands says it earned 93 cents US per diluted share in its latest quarter, up from an adjusted profit of 90 cents US per diluted share a year earlier.
The average analyst estimate had been for a profit of 95 cents US per share, according to LSEG Data & Analytics.
This report by The Canadian Press was first published Nov. 5, 2024.
ST. JOHN’S, N.L. – Fortis Inc. reported a third-quarter profit of $420 million, up from $394 million in the same quarter last year.
The electric and gas utility says the profit amounted to 85 cents per share for the quarter ended Sept. 30, up from 81 cents per share a year earlier.
Fortis says the increase was driven by rate base growth across its utilities, and strong earnings in Arizona largely reflecting new customer rates at Tucson Electric Power.
Revenue in the quarter totalled $2.77 billion, up from $2.72 billion in the same quarter last year.
On an adjusted basis, Fortis says it earned 85 cents per share in its latest quarter, up from an adjusted profit of 84 cents per share in the third quarter of 2023.
The average analyst estimate had been for a profit of 82 cents per share, according to LSEG Data & Analytics.
This report by The Canadian Press was first published Nov. 5, 2024.
TORONTO – Thomson Reuters reported its third-quarter profit fell compared with a year ago as its revenue rose eight per cent.
The company, which keeps its books in U.S. dollars, says it earned US$301 million or 67 cents US per diluted share for the quarter ended Sept. 30. The result compared with a profit of US$367 million or 80 cents US per diluted share in the same quarter a year earlier.
Revenue for the quarter totalled US$1.72 billion, up from US$1.59 billion a year earlier.
In its outlook, Thomson Reuters says it now expects organic revenue growth of 7.0 per cent for its full year, up from earlier expectations for growth of 6.5 per cent.
On an adjusted basis, Thomson Reuters says it earned 80 cents US per share in its latest quarter, down from an adjusted profit of 82 cents US per share in the same quarter last year.
The average analyst estimate had been for a profit of 76 cents US per share, according to LSEG Data & Analytics.
This report by The Canadian Press was first published Nov. 5, 2024.
