Do you know that Digi-crims can scan the whole population even to a country level to find their targets? This is a claim made by a security research firm, “Salt Agency.” They recently figured out how hackers are exploiting an overlooked feature of Facebook by gathering personal data from them, and the user shall never know about it.
How Hackers Steal Facebook Data
If you have ever reviewed your Facebook Privacy Settings at this link: https://www.facebook.com/settings?tab=privacy§ion=findphone&view, you’ll find settings of “Who can look me up?” or “Who can look up using the phone number you provided?” which is by default set to “Everyone.”
Now, making small changes in these settings can make a big difference in protecting your privacy and wondering how hackers take advantage of these overlooked settings?
Salt Agency showed, how with a simple trick, they were able to link thousands of phone numbers with Facebook accounts.
This is a security flaw in Facebook, which led hackers to gather Personally Identifiable Information (PII) of millions of Facebook users with First and Last names, locations, images, and many more just using a phone number.
That Security agency used a script to generate random phone numbers by combining every possible parameter used in the US, Canada, and Britain.
Now, When they have millions of phone numbers of users, they link those phone numbers via Facebook’s Application Programming Interface (API), which is freely available via developers.facebook.com, and anyone can make one API by registering themselves as a developer. Now, they linked those phone numbers with Facebook API to gather Facebook’s user ID of the associated user.
Now, once they have the users’ ID, they can extract more information about them using API like:
- First and Last Name
- Phone number (they already have)
- Profile Picture
- Phone Model they use
- A version of the Facebook app they’re using
- Identify whether push notifications are enabled or not
Here’s a quote by them for this security flaw:
“With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell the user details for purposes that the user may not be happy with.”
Such a security flaw has led Hackers to steal information from now 1.5 million users of Facebook. Even the security agency alerted Facebook about the issue and requested them to make changes in API by turning-ON pre-encryption.
Yet, Facebook has not taken any action to fix the flaw, leaving millions of users’ identity data unsecured to hackers. And Facebook is not bothered to fix the flaw as they don’t think that anyone could exploit or abuse their vulnerability.
Also on Trouble Fixers:
However, Facebook Security Team did state that they continuously monitor and mitigate if someone may try to abuse the API. They also said that they have strict parameters on how a developer could use their API’s and limit the usage as soon as if someone goes against the defined rules or parameters.
How to Stop Hackers to Steal Your Identity Details from Facebook
Till the time, Facebook makes some changes to prevent such abuse; you can do your part to stop this abuse immediately. Here are a few steps to protect your Privacy:
- Set your Phone Number Privacy to “Only Me”
- Go to Your Profile > About > Contact and Basic Info > Click on Your Mobile Phone Number.
- Now click that gear icon just below phone number and select “Only Me.”
- Another change is required in Privacy settings, which can be accessed via this URL: https://www.facebook.com/settings?tab=privacy§ion=findphone&view and change settings of “Who can look me up? Or “Who can look up using the phone number you provided” to “Friends” only.
If you think how can a hacker benefit from such data, just think he could sell that personally identifiable information (PII) database to any organization which is into illegal activities, just for earning good money and because of that user’s life could be in danger without any knowledge to them.