We all know that there are people impersonating others in social media, but what we may not familiar with is the number. The record shows that it is over 1 billion profile had been leaked by hackers mostly targeted Facebook’s and LinkedIns’ profiles in 2019. The leaked information may also include names, email addresses and phone numbers, which results Robert Prigge, the president of Jumio, to strengthen the Domain-Based Message Authentication (DBMA). This happened with the help of Tinay Toria, a dark web researcher, as he discovered that the unprotected servers where 4 terabytes of personal information were taken. That includes 50 million of phone numbers and 622 million emails.
According to Bob Diachenko who was also involved in the research, the exposed data where not even protected by a password. But left for the public to download in a hacker forum. They were not able to identify the person who did it, but they found out they are associated with two different data enrichment companies.
Some Big Social Media Names
According to Anurag Kahol, CTO, Bitglass, the Facebook Incident illustrates how susceptible social media platforms are. He stated that, “Social media platforms are lucrative targets for cybercriminals due to the massive amounts of personally identifiable information that they collect and store from users. In fact, the data exposed in this incident was found on a dark web forum, leaving the affected consumers highly vulnerable to targeted phishing and credential stuffing attacks, account hijacking, and more.”
A lot of us may not be familiar with how data enrichment companies do their work, so I would like to explain it a little. What they do is that they give a single information about a person. Such as email/phone number in exchange of money. This may not seem a lot, but one email or a phone number can provide further information, such as home address, age, hobbies or any more information about the person that are registered in the company.
According to Data Viper, the suspected data enrichment companies are People Data Lab (PDL) and OxyData.LO (OXY). Surprisingly, both companies are still functioning till this day, and running with a license to sell people’s personal information. Let’s get into them and analysis each separately.
Social Media Leaks
The first suspect enrichment company is People Data Lab (PDL) that enriches resume, contact information, social media, and more all mailed to you or given a hard drive for a certain a amount of money. It has over 1.5 individual’s information and that includes 260 million people in the US. Over 422 Million, 420 LinkedIn URLS, over 1 billion Facebook URLS and ids, and 400 million phone numbers.
In the main page, they offer 1000 profiles for free. However, the catch is that you have to add your personal information, which may include your address, company name, phone number, email, and creating a password. That got me wondering; would my information be given in the list if I ever signed up to get the free profile information. It does not state that at all.
However, let’s take a look at Troy Hunt’s case, and you can be the judge whether to trust giving them your personal information or not. Mr. Hunt received an email from Vinny Toria that has the enriched information, and he was surprised that his name is on the list. He had never heard of the company’s name before nor gave a consent to use his information. It appeared that they took his email, phone number, and other personal information from LinkedIn. To define this breach, a worker ,AKA Lily Hay Newman, published an article. It states the breach was not from PDL, but from a subscriber, which causes the personal information to be exposed. In response, Mr. Haunt argues that this does not change the fact that they give our personal information for free without our consent.
Business Profiles Data Leak
The second enriched company is OxyData.LO (OXY). It is the same story as PDL. They have over 380 million business profiles and to contact them you need to add your personal information. With that being said as soon as you add your personal information, one more person is added to the list, which that be you. Although, the agreement for OxyData states that your information should be secured and cannot be used by an outside source. However, once the information is being leaked nobody including them, you, and I can do anything about it.
Therefore, a new approach of security should be taken, and this massive breech should be taken seriously. I believe the government should take a different measure of security and guideline to handle this situation. Once our information are being leaked to the public, they can be used for personification, identify theft. Which can lead to reputation damage, financial loss, current of businesses, and legal ramifications.
What kind of guidelines or security do you think the government should take in order to handle such a cybercrime?