This Week in Data Breaches: 419 Million Phone Numbers Exposed by Facebook

Welcome to our round-up of the latest data breaches, leaks, and privacy intrusions. This week: Facebook’s latest security lapse, Google’s $170 million FTC settlement, and Jack Dorsey’s Twitter account hack.

Facebook Exposed 419 Million Users' Phone Numbers

More than 419 million Facebook users’ phone numbers and IDs were exposed this week, Facebook has confirmed, the latest in a string of privacy and security lapses by the company this year. The phone numbers and Facebook IDs were stored on a server without password protection, leaving hundreds of millions of records spread across multiple databases publicly accessible to anyone who happened upon them. Facebook IDs are public numbers associated with users’ accounts, which would make it relatively easy to link a user’s phone number and ID to their account name.

The unprotected server included the records of 133 million users in the United States, 18 million users in the United Kingdom, and 50 million in Vietnam. It is unclear how long the server was left exposed online. Facebook took the server down once it was notified by TechCrunch. Facebook claims that many of the records were duplicates and that the number of users whose information was compromised is closer to 210 million.

The Guardian reported that the database was most likely compiled by a tool that was disabled in April 2018 in the wake of the Cambridge Analytica scandal. In a statement, a spokeswoman for Facebook said, “This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.”

Exposed phone numbers can be used by hackers to run SIM-swapping attacks. SIM-swapping, or SIM-jacking, has become increasingly common and is usually done by calling a person’s mobile phone carrier and tricking the carrier into transferring the phone number over to a new SIM card that the fraudster controls, which the attacker then uses to gain unauthorized access to the victim’s accounts by “recovering” them or intercepting two-factor authentication codes.

Identity thieves also use phone numbers to obtain additional information on their targets, often through data brokers. In a recent investigation by the New York Times, reporters found that phone numbers “can lead to information from our offline words, including where we live and more.” With just a phone number in hand, thieves can easily find out your name, birth date, and home address, as well as the names of your family members, more than enough info to attempt a phishing attack.

Jack Dorsey’s Twitter Account Hacked

Speaking of SIM-swapping, Twitter CEO Jack Dorsey’s personal Twitter account was hacked this past weekend by attackers using this same method. The hackers then fired off a round of tweets that ranged from bomb threats to racist messages, although they only had access for a few minutes before the tweets were deleted.

According to Twitter, “The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number.”

The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.

— Twitter Comms (@TwitterComms) August 31, 2019

The company also said it will be temporarily turning off the ability to Tweet via SMS or text message, due to “vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication.”

To protect yourself from SIM-swapping, call your mobile phone carrier and ask to place a PIN on your account. Check out Wired’s comprehensive guide for more information on SIM-swapping and how to keep yourself safe.

Google Settles with the FTC for $170 Million Over Children’s Privacy Violations

Google has agreed to pay $170 million in a settlement with the Federal Trade Commission (FTC) and New York Attorney General to end investigations into YouTube’s data collection practices that revolved around data being collected on children without their parents’ consent.

The FTC maintained that YouTube’s collection of children’s data without their parents’ consent violated the Children’s Online Privacy Protection Act (COPPA). This week’s settlement is “by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998”, the agency said in a statement.

Nevertheless, critics have pointed out how small of a number it is for a company of Google’s size. Google racked in $116 billion last year alone. As Jonathan Scheiber wrote for TechCrunch, “The Federal Trade Commission has set a price on children’s privacy online and the going rate is $170 million.”

Rohit Chopra, one of two FTC commissioners who dissented to the decision, wrote on Twitter following the announcement:

The FTC's @YouTube children’s privacy settlement is a giveaway to @Google. The agency repeats mistakes from the flawed Facebook settlement: a penalty that barely bites, no individual accountability, and insufficient fixes to flawed incentives. $GOOG

— Rohit Chopra (@chopraftc) September 4, 2019

In Chopra’s dissent, the FTC even went so far as to redact how much Google makes from advertising to children. Chopra went on to say that “@Youtube baited kids with nursery rhymes, cartoons, and more to feed its massively profitable behavioral advertising business. It was lucrative, and it was illegal.”

Moving forward, the settlement “requires Google and YouTube to develop, implement, and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform so that YouTube can ensure it is complying with COPPA”, according to the FTC.

Google and YouTube will also be required to provide detailed information about their data collection practices and obtain “verifiable parental consent” before collecting data on children.

Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology

It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!