Security researchers at Safety Detectives discovered an open Elasticsearch server containing scraped data related to 12 million Facebook users in Vietnam, which raised concerns over the company’s security measures. The leaked data is as much as 3GB.
According to researchers, the exposed personal information included full name, email address, Facebook username and ID, hometown and current location, birth dates, GPS coordinates, profile scores, family relations with other Facebook users, etc. The leaked server has been taken down after researchers reported the breach.
“The data that our research found is on top of what was already found and adds another 12 million records to the list. Many, but not all, of the entries included full details of personally identifying information (PII), stemming from multiple sources – Facebook included. We still do not know who is ultimately responsible for this scrape and how they were able to perform such an extensive and invasive action,” the researchers said in a statement.
Data scraping is a process of extracting users’ personal data from websites. It is a common practice for third-party vendors, web developers, business intelligence analysts, and authentic businesses to scrape users’ data for market research purposes. Social media companies like Facebook allows users to access third-party websites by using their existing Facebook login information. However, this process can also allow unauthorized users/threat actors to perform malicious activities including identity theft and financial fraud.
Facebook vs Vietnam
The latest data breach in Vietnam follows the history of Facebook’s data privacy issues with Vietnam. In December 2019, an unprotected public database containing over 267 million Facebook user IDs, names, and contact details were left online without password protection. According to researcher Bob Diachenko, the incident occurred due to illegal scraping operation or Facebook API abuse by cybercriminals in Vietnam. The exposed data was also posted on a hacker forum for download. Earlier, in a similar leaky server incident in 2018, Facebook leaked millions of users’ personal data online. The database contained more than 419 million records of Facebook users across the globe, including more than 50 million records of Vietnamese users.
The government of Vietnam criticized Facebook for violating the country’s cybersecurity laws. It claimed that Facebook allowed users to post anti-government comments on its platform and failed to maintain the norms on managing content, online advertising, and tax liability.
In a similar incident, cybersecurity firm Cyble found hackers selling over 267 million Facebook records for £500 (US$623) on dark websites and hacker forums. Cyble claimed that the records contain information that could allow attackers to perform spear phishing or SMS attacks to steal credentials.