Kevin Mitnick, Adrian Lamo, Albert Gonzalez, Mathew Bevan, and Richard Pryce.  Are these guys household names in your household?

These five (and dozens of others), are among the most notorious hackers on the planet, people who spark fear into the hearts and minds of the most sophisticated technology organizations on the planet. These online villains have compromised the likes of NORAD, NASA, the Defense Information System Agency, and dozens of governments and Fortune 500 companies worldwide.

And then there are the anonymous low-level hackers, men and women sitting in their basement or participating in an online forum who are in it for “fun” and the havoc they can create with a few simple (or not so simple) keystrokes.

533 million Facebook users may know their names very soon.

At a low-level hacking forum on April 3rd, the personal data of more than 500 million Facebook users became public knowledge. Over 32 million of these accounts are in the US.  Even though the data stolen is from 2019, some of this information never changes – like your full date of birth and your full name, including maiden names if you listed them.  Likewise, if you have your phone number associated with your Facebook account for password recovery purposes, that’s out there too.

So what does this mean for corporate and personal security and what can you do about it? As the pilot says when you’re coming in for an emergency landing, “brace for impact.”

If you’re like most Facebook users, you’ve probably told people where you work. This most recent hack will no doubt mean an increase in imposter emails – threat actors pretending to be a trusted employee using their “personal email” to ask for help.  Often, these threat actors ask for Google Gift Cards, or Apple Play Cards for somewhere around $300-$1,500 at a time.  Far too often, staff fall for this trick – especially if the person requesting is “the boss.”

Another real threat I see is theft of phone numbers, since too many staff use these numbers as their second factor of authentication and/or as positive identification (I blame a lot of banks that still only supporting this method of dual authentication).  If Threat Actors know enough about you, they can convince cell phone providers to send them a “replacement SIM card” for a phone number stolen with this Facebook data.  With that phone number, they can potentially log into any site (like your bank or place of business) that uses a phone number to recover a password or as a second level of authentication.

What can you do about this now?

  1. Warn your staff – they may not be aware of this Facebook theft.
    1. Have them be cautious about responding to emails from people they think they know who may be asking for favors, especially if they’re monetary.
    2. Even though there is no indication that Facebook passwords were stolen, suggest staff change their passwords on any account that shared a password with Facebook – especially work accounts.
  2. Protect sensitive data.
    1. Every major carrier supports additional protection on transferring SIM cards through the use of a PIN or passcode known only to the account holder. Many people don’t take advantage of this technology.
    2. Don’t use a cellphone number as a second factor for authenticating access. An authenticator app, like the free one from Google provides far greater security than a text message to a cell phone.
  3. Separate and compartmentalize your sensitive data – don’t be so willing to share it.
    1. Some of my friends provide fake birthdays, if just the year, on Facebook. (I wish I had done this)
    2. Don’t use your primary email address as a recovery method for social media accounts. (I have a “junk” account that I only use for this purpose – this way if anyone “spoofs” Facebook, or any online sites like Amazon, I know it’s fake if it comes to my primary account because that’s not the account linked with those services.)

The big name hackers are still out there but it’s the low-level cybercriminals we should fear most. They’re out there, there’s a lot of them, and they may be coming for a Facebook account near you.

Be Safe. Be Secure.