Facebook hacked on Dec 12th 2019

[Evo]

​ Data Exposure Alert

Norton

​ Data of 267 million Facebook users exposed in an online database

​ What is Happening? Data security researchers discovered an online database containing the names, phone numbers, and Facebook IDs of 267 million Facebook users available for download on a hacker forum. The database was not password protected and had been posted on December 12th. On December 14th, the researchers contacted the internet service provider that was hosting the database and the database was removed on December 19th.

Also LinkedIn and Yahoo have been hacked in the not too distant past, as has Disney. Be aware, don't put personal information on social media sites, change your passwords constantly.

 

[Wrichik Basu]

Do you have a link to the news article?

Be aware, don't put personal information on social media sites

Or maybe restate it as "put only the bare minimum of personal information they ask for". Twitter, for example, doesn't work unless you put in your mobile number.

 

[Evo]

Do you have a link to the news article?

Or maybe restate it as "put only the bare minimum of personal information they ask for". Twitter, for example, doesn't work unless you put in your mobile number.

One reason I don't use Twitter. First reason is I could not care less for anything anyone says on Twitter.

It wasn't a news article, it was an email alert from Norton, I have their service that alerts me to security breaches. I also got a security alert from my credit card that alerts me if they find my email on the "dark web" I got an alert today that my email appeared on the "dark web" on Dec 12th" I was wondering what happened, then I got the email from Norton, it was the Facebook breach.

From my email alert (I x'd out my email address)

• Dark Web Alert
  Compromised Email Address
• Email Address
  xxx@xxx.com
• Password
  Exposed
• Date found on dark web
  Dec 12, 2019

 

[jedishrfu]

FORBES published an article on the breach:

https://www.forbes.com/sites/johnbb...---and-theyre-all-from-facebook/#5eb4274a5a6b

 

[Evo]

FORBES published an article on the breach:

https://www.forbes.com/sites/johnbb...---and-theyre-all-from-facebook/#5eb4274a5a6b

I can verify it's a real breach if you look at my last post you can see they took my email and password from facebook on the 12th.

Facebook asks you to add your phone number in case you get locked out of your account. DON'T DO IT!

Oh, and that Forbes article was posted right as I was posting this thread, there was nothing, only one website on google posting about it earlier, one I didn't want to link on. Notification from FB? NO. Of course LinkedIn never notified me of their HUGE breach where my info was taken, it was my credit card company that verified it. Only Yahoo and Equifax contacted me that my info had indeed been taken from their sites.

 

[anorlunda]

Twitter, for example, doesn't work unless you put in your mobile number.

As @Evo said, you could not use Twitter.

Protecting your data sometimes means more that doing things safely. Sometimes, it means not doing them at all; even if they offer some benefit.

The whole social media industry is built on the idea of offering benefits to entice us to give away our personal information.

 

[Wrichik Basu]

As @Evo said, you could not use Twitter.

Protecting your data sometimes means more that doing things safely. Sometimes, it means not doing them at all; even if they offer some benefit.

The whole social media industry is built on the idea of offering benefits to entice us to give away our personal information.

That's the reason I never had a social media account till last month. Couple of days back, owing to certain circumstances, creating a Twitter account became a necessity.

 

[OmCheeto]

...
Twitter, for example, doesn't work unless you put in your mobile number.

?
I have a Twitter account and don't have a phone number listed.
Perhaps it's only true if you access Twitter via a mobile phone?
Since I don't own a mobile phone, I access Twitter via my laptop.

Btw, I got a very out of the blue message from a stranger on Friday accusing me of sending her "mean" content on Facebook. Since I didn't send anything to her, I recommended we both update our passwords, as I have no idea how such things can occur.

 

[Wrichik Basu]

I have a Twitter account and don't have a phone number listed.
Perhaps it's only true if you access Twitter via a mobile phone?
Since I don't own a mobile phone, I access Twitter via my laptop.

No idea how Twitter has allowed you, but people all over the net are frowning because Twitter has blocked accounts without a phone number. This is irrespective of whether you register from phone or laptop. For new users, you can't even access your account unless you give a phone number and that is verified by Twitter. There are some hacks, however, like using a Google voice number, but that works only if the service is allowed in your country (in my case, it isn't).

 

[darth boozer]

I suspected a FB breach when I started getting calls on my mobile, supposedly from London, where the caller knew my name. As the number of people who have my number legitimately is very small, for someone else to have it connected with my name is unlikely unless it came from FB. The calls were trying to get me to invest in online trading, a scam my bank had already warned customers about.

 

[OmCheeto]

...
people all over the net are frowning because Twitter has blocked accounts without a phone number.

I'm finding evidence of Twitter doing this when people also don't have an email account, but not because they only lack a phone number.

Or is it the fact that people can't function without a cell phone that's making them frown?
hmmm... Are we discussing the same thing, or are we talking past each other?

ps. I should really get some type of mobile phone. It's no wonder people look at me funny.

clickable reference

 

[Wrichik Basu]

I'm finding evidence of Twitter doing this when people also don't have an email account, but not because they only lack a phone number.

While signing up for Twitter, I was given two options: sign up using email id, or mobile number. I choose email id because I did not want to share my phone number, but later found that the account won't be activated unless I give the phone number and they verify it by sending an OTP. Don't know whether they ask for email id if one signs up with phone number, but phone number is a must, at least for new users.

Or is it the fact that people can't function without a cell phone that's making them frown?
hmmm... Are we discussing the same thing, or are we talking past each other?

Maybe talking past each other. Almost everyone has a cell phone, even if it doesn't have internet connectivity. What makes people frown is, Twitter won't allow them access to their accounts unless they register a phone number, and they don't want to give the phone number for privacy reasons.

 

[Wrichik Basu]

I suspected a FB breach when I started getting calls on my mobile, supposedly from London, where the caller knew my name. As the number of people who have my number legitimately is very small, for someone else to have it connected with my name is unlikely unless it came from FB. The calls were trying to get me to invest in online trading, a scam my bank had already warned customers about.

Does FB too, like Twitter, compulsorily require phone numbers, or is it optional?

 

[Evo]

Does FB too, like Twitter, compulsorily require phone numbers, or is it optional?

It's been optional but they were pressuring people to give it claiming that if you ever got locked out of your account, you could use it for verification. DON'T Do IT! FB even sent me a list of my friends that had given FB their phone numbers to coerce me to give mine. If I get locked out, which has never happened, there are other safer ways of getting unlocked.

 

[anorlunda]

FB even sent me a list of my friends that had given FB their phone numbers to coerce me to give mine.

Holy mackerel. They think that giving you some of your friends personal info will make you have confidence in FB.

 

[Evo]

Holy mackerel. They think that giving you some of your friends personal info will make you have confidence in FB.

I know! Oh Jane gave FB her phone number, social security, credit cards and bank account numbers, I should give them mine too! They're banking on herd mentality, I guess.

 

[OmCheeto]

While signing up for Twitter, I was given two options: sign up using email id, or mobile number. I choose email id because I did not want to share my phone number, but later found that the account won't be activated unless I give the phone number and they verify it by sending an OTP. Don't know whether they ask for email id if one signs up with phone number, but phone number is a must, at least for new users.

Maybe talking past each other. Almost everyone has a cell phone, even if it doesn't have internet connectivity. What makes people frown is, Twitter won't allow them access to their accounts unless they register a phone number, and they don't want to give the phone number for privacy reasons.

In the interest of science, I just created a new twitter account.
It's just as you say!
I had 100% access for about 10 minutes, and then I was locked out, and could not proceed without a textable phone number. They claim my land line is "unsupported".

They did though tell me this; "Contact our support team if you need additional help unlocking your account."

Which I did, and informed them I don't have a cell phone.
Their automated system said it may be a few days before I receive a response.

 

[anorlunda]

Which I did, and informed them I don't have a cell phone.

They don't care about Luddite members. Sorry, couldn't resist kidding. Happy holidays Om.

 

[Wrichik Basu]

They did though tell me this; "Contact our support team if you need additional help unlocking your account."

Which I did, and informed them I don't have a cell phone.
Their automated system said it may be a few days before I receive a response.

Let us know what reply you get.

 

[DaveC426913]

Let us know what reply you get.

Don't know what it'll say, but I bet it'll come with a postage stamp on it.

 

[Wrichik Basu]

Just now removed my phone number from Twitter. Let's see what happens.

 

[member 656954]

Be aware, don't put personal information on social media sites

This really undermines the 'social' experience that people seem to be looking for on these sites, but apart from that, most users are less informed than the PF cohort, so expose considerable personal information just through their sharing and commenting activities. Unless you are read-only on sites such as FB, Insta, TikTok, etc. you really can't help but reveal person details, no matter how hard you try to avoid it.

And as the Twitter comments have noted, the platforms themselves are working against underlying anonymity, so the risk of cell phone + user name + actual name + password reveal is certainly there (though, how does Twitter fight against troll farms undermining elections if they can't tie an account to a person? Can we have perfect privacy with perfect societal protection?).

change your passwords constantly

Yes, I 100% agree with this, and even better, enable two or multi factor authentication. A recent Microsoft study showed this stopped 99+% of account hacks. Thank you PF for your MFA capability

However, these unexpected breaches really are small change in the privacy landscape, shocking as they seem. The NY Times thoughtful article on location data highlights how 'normal use' reveals so much about us, and it is being brokered behind the scenes in ways we give we no thought to. That's more troubling to me, because it is us willingly giving data away to them...without even knowing who them is!

 

[OmCheeto]

They don't care about Luddite members.

On the contrary. I think their somewhat "let's not make this too easy" methodology is to discourage trolls.

On their "suspended" help form they have the following:

Describe the nature of your appeal (for example, why you do not believe your account violated the Twitter Rules, or if you are having difficulties unsuspending or unlocking your account, or if you cannot provide a phone number).​

​

Phone number (optional)​

Sorry, couldn't resist kidding. Happy holidays Om.

Ditto!

 

[OmCheeto]

Let us know what reply you get.

Why, of course!
Though, I'm now worried, that Twitter may have a policy against "sock puppets", and just delete my new account.
I used my gmail email address to create it, as I don't use it for actual correspondence.
But upon further inspection, I discovered that my real email address is listed in my gmail settings.

Doh!

 

[Wrichik Basu]

Though, I'm now worried, that Twitter may have a policy against "sock puppets", and just delete my new account.
I used my gmail email address to create it, as I don't use it for actual correspondence.
But upon further inspection, I discovered that my real email address is listed in my gmail settings.

I don't think they'll be able to identify you, because real email addresses set up in gmail for forwarding (or otherwise) are not revealed. That is the whole purpose of email services allowing you to add another email address that you own; if people are able to find out your real email, then the purpose is no longer served.

 

[fluidistic]

The NIST now recommends NOT to change passwords often. I think they assume people tend to pick weaker passwords, which is likely backed up by some studies. However if you use a password manager to create random-looking and high entropic passwords, I don't think it makes any difference (you only lose time by doing so, but no harm is otherwise done).
I don't think Facebook stores its passwords database in plain text, so the hackers (or better to say, crackers) won't be able to get to know your password unless it is so weak that its (salted?)hash value are known. So in my case, I wouldn't even change my password, if the password database had been hacked. A loss of time since the crackers will never get the password.

One website I often see recommended to check whether some of your accounts has been compromised is https://haveibeenpwned.com/ (see the Wikipedia page for instance https://en.wikipedia.org/wiki/Have_I_Been_Pwned?)

I think 2FA is indeed better (but not perfect, see the last days China's crackers exploit which bypassed 2FA) than just using a password. There are some hardware that can be used for that purpose (Yubikey, Nitrokey) but reading about their flaws in Wikipedia makes me reluctant to use them.

 

[OCR]

One website I often see recommended to check. . .

Firefox Lockwise - Alerts for breached websites | Mozilla Support

.

 

[fluidistic]

View attachment 254704

Firefox Lockwise - Alerts for breached websites | Mozilla SupportView attachment 254705
.

Ah nice, I didn't know it used haveibeenpwned as a source.

 

[OmCheeto]

Today I received a bank debit card in the mail, with my address, and someone else's name, with a bank I had an open credit card (>$10k available) account with.

Just got off the phone with the second customer service rep.
She and the previous rep were both delightful.

It appears that I have to go to my local branch on Monday, with the physical evidence, to kind of prove that I'm neither a kook, nor senile, for the most part.

Wait a minute. I was just online, and I didn't have a savings nor checking account, and my mortgage account was closed months ago...

So I've just closed the last account with that bank, and they're going to look at me on Monday, like I'm some sort of kook.

hmmmm...

 

[sysprog]

No idea how Twitter has allowed you, but people all over the net are frowning because Twitter has blocked accounts without a phone number. This is irrespective of whether you register from phone or laptop. For new users, you can't even access your account unless you give a phone number and that is verified by Twitter. There are some hacks, however, like using a Google voice number, but that works only if the service is allowed in your country (in my case, it isn't).

Are you maybe allowed to use another voip service, such as Talkatone, or a proxy phone number app, such as Burner?

 

[Wrichik Basu]

Are you maybe allowed to use another voip service, such as Talkatone, or a proxy phone number app, such as Burner?

Neither of them is available in my country.

Anyways, I removed the phone number from Twitter, as mentioned in post #21. They haven't blocked my account yet.

 

[member 656954]

China's crackers exploit which bypassed 2FA

Details of exactly what happened in this hack are scant, but it seems to be a nation state attack, meticulously planned and executed, with the 2FA bypass allegedly done via a stolen RSA SecureID software token taking advantage of a related exploit in the 2FA code.

The security implications for 2FA in the general sense are unclear but it seems likely this is a fixable flaw. It's also not a general fault with 2FA, in the sense that a single exploit undermines it.

 

[fluidistic]

Neither of them is available in my country.

Anyways, I removed the phone number from Twitter, as mentioned in post #21. They haven't blocked my account yet.

They still have it in their database and if your phone number is leaking anywhere on the web or to any other tech giant, chances are twitter could get it.

 

[Wrichik Basu]

They still have it in their database and if your phone number is leaking anywhere on the web or to any other tech giant, chances are twitter could get it.

Even if they have it, I can't do anything about it. While signing up, you are compulsorily required to provide a phone number.

 

[Evo]

Today I received a bank debit card in the mail, with my address, and someone else's name, with a bank I had an open credit card (>$10k available) account with.

Just got off the phone with the second customer service rep.
She and the previous rep were both delightful.

It appears that I have to go to my local branch on Monday, with the physical evidence, to kind of prove that I'm neither a kook, nor senile, for the most part.

Wait a minute. I was just online, and I didn't have a savings nor checking account, and my mortgage account was closed months ago...

So I've just closed the last account with that bank, and they're going to look at me on Monday, like I'm some sort of kook.

hmmmm...

Good grief, have you looked up the name on the card to see if you find someone, by chance? They should know (if it's a legitimate bank error) that their debit card was sent to someone else! I'm sure the bank isn't going to tell them. The person might be listed in LinkedIn if they're employed. They might even be found on FB. I wouldn't contact them, but it would be interesting.

Boy, my email address had quite an active (and unsavory) life after yahoo was first hacked, my email address was sold on the "dark web" and some idiot ( I was actually able to find out the name and address of the moron that bought it because they weren't the brightest bulb). Geeze. The places my email address went and the things that were tried (and some done) with it. Since it was a fake email I had created, fake person, fake location, I wasn't concerned with closing the account and every time it was used, I'd get the confirming email back requesting verification, or I'd get a copy of what had been done with one of the websites that is very well known that allowed the moron to post unbelievable stuff and never tried to verify that it was legitimate. Anyway, I was on porn sites, BAD sites, all kinds of sites, I drove the moron nuts by shutting down his accounts until he gave up trying to use my email address. The porn sites were before the moron bought it for his personal use, no idea who that was, I never opened those emails, I seemed pretty popular, well, the poor fictional person linked to the email address was popular.