A threat actor leaked 200,000 records on a hacker forum, claiming they contained the mobile phone numbers, email addresses, and other personal information of Facebook Marketplace users.
Bleeping Computer* verified some of the leaked data by matching the email addresses and phone numbers on random records within the sample data shared by IntelBroker, the threat actor who leaked the data online. Threat actors can use the email addresses leaked online in phishing attacks and the Facebook Marketplace users’ mobile numbers in mobile phishing attacks. The exposed mobile numbers and personal info can also be used in SIM swap attacks that would allow them to steal multi-factor authentication codes sent via SMS and hijack their targets’ accounts.
These news are in line with other incidents enabled by attacks on third-party vendors. These so called supply chain attacks exploit weaknesses of contractor systems to attack higher value targets, such as Facebook, but also Microsoft and other tech giants. Revelations like this one are a stark reminder that everyone self is responsible for the data shared with these corporations. But not only should one reconsider and double-check the content posted but especially the personal information shared should be vetted again, such as real names, birthdays, location and even more so valid payment information. Applying multi-factor (“two step”) verification and authentication is also imperative as shown by the recent wave of account takeovers or such attempts, which are made possible by leaks such as the aforementioned.
by Thomas Uhlemann, ESET
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 