The national cybersecurity agency CERT-In has issued an advisory asking Facebook users to secure their account information, after a data leak that has impacted around 6.1 million Indians. The exposed information includes email address, profile ID, full name, job occupation, phone numbers and birth date. According to Facebook, the scraped information does not include financial information, health information or passwords. However, information from more than 450 million unique Facebook profiles globally, including approximately 61 lakh Indian individuals, has been made publicly available on multiple cybercriminal forums for free, CERT-In said.
Facebook claims that based on its investigation to date, threat actors scraped this data prior to September 2019, by using Facebook's "Contact Importer” feature which allows users to find other users using their phone numbers. While Facebook said it modified the feature in 2019 to thwart this type of threat, the phone numbers of 450 million global users had already been harvested, along with other identifying information on users, CERT-In added.
Web scraping refers to the process of using automated software/scripts or bots to harvest public information from sites, such as any information users make publicly available on their profiles (name, city, occupation etc.). Cybercriminals may scrape data from sites for a variety of purposes, including spamming, information gathering and social engineering attacks. They can also sell scraped data for a profit to other cybercriminals, marketing companies, or call centres.
Users are encouraged to follow good cyber practices to safeguard themselves. Facebook advised users to make sure that their privacy settings reflect what information they want to share publicly and who they want to be able to look them up by phone number and it also recommends enabling two-factor authentication (2FA), CERT-In added.
Some of the other recommendations include:
> Change profile information in your Facebook privacy settings: Visit https://www.facebook.com/me/
> Review your account privacy settings and permissions, and adjust your privacy settings as needed.
> Be vigilant about phishing attempts. Always be wary of suspicious emails and verify before clicking any links or downloading any attachments, especially if the email comes from an unfamiliar sender.
> Verify a link in an email/SMS by checking the domain name of the site, users can hover their mouse over the ink to ensure that they are being directed to the Uniform Resource Locator (URL) stated. Tum on login alerts, if available.
> Change your passwords regularly, use a strong password which includes upper case, lower case, numbers and/or special characters.
> Limit sharing of personal information online as threat actors commonly look for and use such personal information for targeted phishing.