In a major breach of privacy, personal details of nearly 533 million Facebook users from more than a 100 countries were allegedly leaked online and posted for free on low level hacking forums, according to multiple sources. The leaked details include names, gender, occupation, marital and relationship status, the date of joining and the place of work of users.
The database, which was first leaked in 2019, was initially being sold on instant messaging platform Telegram for a fee of $20 per search. Facebook had then said that it had patched the vulnerability that has caused the leak. But, in June 2020, and, then in January 2021, the same database was leaked again. The vulnerability was the same: it allowed users to search for a person’s number. Alon Gal, the co-founder and chief technical officer of cybersecurity firm Hudson Rock, was the first to flag this matter.
In a fresh Twitter post on Sunday, Gal once again shared the details of the leaked database, which contained information mentioned above, and said that if someone had a Facebook account, it was extremely likely that the said details had been leaked. According to the database of the latest alleged leak, details of as many as 5.5 lakh users from Afghanistan, 1.2 million from Australia, 3.8 million from Bangladesh, 8 million from Brazil, and 6.1 million from India had been put up for free on several forums.
Facebook did not respond to a mail seeking comments on the alleged database that was put up for free. The Sunday Express was independently able to verify some of the data from the latest database.
This is the second such instance within 10 days in India where claims of a user database of a company being leaked has resurfaced. Earlier this week on Tuesday, details of as many as 10 crore users of Gurgaon-based mobile payments and digital wallet company MobiKwik had been allegedly leaked and was being sold on darkweb.
As is the case with the latest Facebook data dump, the said MobiKwik dataset, too, had been in public domain for over a month. The issue gained prominence on Monday after the so-called data dump was said to be posted for sale on darkweb. Later, a link with a search bar, where anyone could search if their phone number or email address and other details was present in the data dump, was available on the darknet.
India does not have a robust mechanism for user data protection and penal actions, if any, in cases of data breaches. The Personal Data Protection Bill, which is said to contain provisions dealing with the same has been pending in Lok Sabha since 2019.
A Joint Parliamentary Committee, which was initially supposed to submit its report on the Bill by March, has sought extension till the first week of Parliament’s Monsoon session. In the absence of the Bill, the Information Technology Act of 2000 and the rules made in 2011 form a regime of data protection, which several experts have said are inadequate.