Facebook users could soon fall victim to a massive data breach again. A program for linking email addresses to accounts on the social network is currently circulating in hacking forums. Mark Zuckerberg’s group estimates the security breach to be benign, as 5 million accounts can be affected every day.
After 533 million Facebook users were affected by one of the biggest hacks in social network history, the social network could suffer a new large-scale data breach. A tool spotted by a cybersecurity researcher is capable of link 5 million email addresses per day to accounts public as well as private. Entitled “Facebook Email Search v1.0”, it is currently spreading on various hacking forums.
“I spent about $ 10 buying fake Facebook accounts”, explains the researcher in a video. “And in just 3 minutes, I had [obtenu] 6000 accounts[avec leur adresse mail]”. The tool exploits a flaw that was initially corrected by Facebook. Yet this one uses “Exactly the same vulnerability”. The researcher, who wishes to remain anonymous, said he contacted Facebook to warn them of the problem. The social network replied that the latter does not require immediate repair.
Facebook refuses to plug the loophole that could leak millions of email addresses
The tool is currently used to hack Facebook accounts and, in fine, take control of pages, groups as well as “Advertising accounts, obviously for financial gain”. In just a few minutes, the tool manages to obtain several thousand email addresses, just from a few account names.
Much like the 2019 vulnerability that led to the latest historic leak, Facebook is aware of the vulnerability that makes the operation possible. Still, the group believes that there is no need to act to correct it. “For some reason, even though I showed [les résultats] to Facebook for them to see it, they told me directly that they do not intend to prevent its use. ”
On the same topic: Facebook hack – origin, consequences, legal remedies, all you need to know
In an official statement, Facebook said: “It appears that we mistakenly closed the bug file before forwarding it to the appropriate team. We appreciate that the researcher has shared his information with us and are taking initial steps to mitigate this issue as we follow him closely to better understand their findings ”.
Towards a new large-scale data breach?
It is difficult at this time to say with certainty whether the flaw was exploited by hackers to build a huge database, similar to the one that appeared on the web a few days ago. Nevertheless, such a finality seems very probable for the researcher. “I think this is a very dangerous vulnerability and I would like to help fix it.”
For his part, Facebook continues to believe that the consequences for users are minimal. In an email sent to Dutch newspaper DataNews, the social network claims it is “A general industry problem”, but it is necessary nevertheless “Accept that this kind of activity happens on a regular basis.” As always, the only way to protect yourself is to consult the HaveIBeenPwnd database and modify your identifiers if your email address is there.
The researcher behind the discovery concludes by saying that “This is not just a huge privacy breach. This will result in another gigantic data leak, especially email addresses. It will allow malicious people not only to link email addresses to user IDs, but also to add the latter to phone numbers that have appeared in previous leaks. “
Source: Ars Technica