The personal data of more than 533 million Facebook users has been leaked online. But, if you’re a business owner, there are a few things you can do to make sure your professional page is as safe as possible.
News broke last week that data including the full names, dates of birth, email addresses and phone numbers of Facebook users were available on a hacking forum.
The data was first leaked back in 2019, due to an issue that Facebook says was resolved at the time.
And, while it was available at a price for some time, it is now up for grabs on a hacking forum, free of charge.
In a tweet, cyber security expert and founder of security firm Hudson Rock Alon Gal, who first alerted Vice’s Motherboard to the data for sale in January, said if you have a Facebook account “it is extremely likely” that the number used to set up that account has been leaked.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
While passwords do not seem to have been leaked, all of this is information that could be used either to impersonate a person, or to reset passwords to gain access to accounts.
Has my page been affected?
In reality, it’s difficult to know for sure whether your own account information has been leaked or not.
Have I Been Pwned is a well-regarded site that tracks data breaches, and can let you know if your email has been compromised, in which breach and when.
This service is only available for emails, however, and while creator Troy Hunt has floated the idea of creating a service that works for phone numbers, at the time of writing it is not yet up and running.
Should the FB phone numbers be searchable in @haveibeenpwned? I’m thinking through the pros and cons in terms of the value it adds to impacted people versus the risk presented if it’s used to help resolve numbers to identities (you’d still need the source data to do that).
— Troy Hunt (@troyhunt) April 4, 2021
There are also sites that purport to offering that same service for mobile numbers, but their legitimacy has been questioned and there don’t seem to be any available for Australian numbers.
What are the risks to small business owners?
Many business owners use Facebook as a means of communicating with their clients, and reaching new ones.
According to Susie Jones, co-founder of cybersecurity startup Cynch Security, we could see an increase in the number of phone scams, due to a large number of phone numbers being released.
Additional information such as location data could also help criminals make their scams more believable.
Also, if you have multi-factor authentication (MFA) set up using your phone number, you should assume criminals will be able to link that number with your Facebook account.
By calling your phone provider and impersonating you, they could port your number to a new phone, thereby gaining access to the MFA information, and access to your account.
To counter this risk, Jones suggests moving to a non-phone based MFA method such as an authenticator app.
All of this also applies to any staff member that has access to your business page as an admin.
And, finally, Jones notes that other accounts linked to the same email address could also be at risk, particularly if they use the same phone- or text message-based MFA system.
If the same email address is linked to your Facebook and LinkedIn accounts, for example, then a hacker could use the information they gained from the Facebook breach to hack into your other platforms.
What should I do next?
If you think your account may have been compromised, it’s best to change your password to any platform that uses the same email address immediately.
Jones advises choosing strong passwords, and ideally using a password manager such as Lastpass or similar.
Even if you don’t think you’ve been affected this time, it’s a good idea to have MFA for all your accounts, and to use an app authenticator, rather than an SMS method.
If you don’t have MFA on your Facebook account already, you can learn how to set it up here.
Jones also advises business owners to be on the lookout for any common phone scams being reported, through the ACCC’s Scamwatch for example.
She suggests that you review your privacy settings online, and consider how many personal details you’re sharing publicly.
The more information a hacker has about you and your business, the easier it will be to impersonate you online.
“Reducing the amount of detail you share on social media can help limit the harm,” Jones notes.
Finally, it’s important to make sure your staff members are aware of the risks here, too — particularly if they have access to your business pages.
You should encourage them to change their passwords, to implement MFA using an app, and to review their personal details. That’s both in their own interests, and in yours.
At the time of writing, Facebook has not responded to a request for comment.