A Dutchman living in Malta has designed a website allowing Facebook users to figure out whether their personal data was exposed in a massive breach of the platform's systems.
More than 500 million Facebook users, including over 100,000 Maltese ones, are believed to have been compromised by the data hack, which Facebook acknowledged on Wednesday.
Users' phone numbers, email addresses, names, job and marital statuses and locations were all exposed by the breach.
HaveIBeenZuckered.com allows Facebook users from across the world to type in their phone number to see whether any of their data was disclosed in the breach.
The brains behind the website, Jorrit Klein Bramel, works as a developer with Malta-based marketing company Blexr.
Why should I trust the website with my data?
The site uses a technique known as ‘hashing’ to ensure users of the site can safely submit their phone numbers to the website without worrying about the number being shared.
“In layman’s terms, hashing ensures I don’t see the number being inputted from the website’s back-end, because the numbers are encrypted,” Klein Bramel explained.
Another layer of security is 'k-anonymity', he explained.
“The website’s server only receives the first five characters of the strings of randomly generated characters, which is then used to scan through the leaked cache of documents and verify whether the number corresponding to those strings has been leaked,” Klein Bramel said.
The developer added that he consulted with a legal advisor before programming the website, and ensured that Google Analytics, a tool used by Google to harvest user data, is not enabled on the site.
What can I do to protect my data?
1. Use multi-factor authentication
The Malta Information Technology Agency (MITA) encourages individuals to implement multi-factor authentication on their accounts where possible while also using different passwords for different accounts.
Multi-factor authentication adds a layer of security to the standard password, by introducing information only the real owner of the account could have.
This commonly comes in the form of a text message to the owner’s phone number containing a randomly generated code, or otherwise a separate mobile app that generates random codes every thirty seconds such as Google Authenticator.
2. Use different passwords
Using the same password for multiple websites or services means that if one of those services is compromised, all other services using the same password are at risk.
Instead of using one easy-to-remember password, use a password manager to generate and store different passwords for each service or website.
There are many password management software systems that safely allow for storage and retrieval of passwords as needed, as well as a couple of free ones, such as Bitwarden. Some browsers, such as Chrome, come with built-in password managers too.
You can also use free random password generators to create passwords that are more difficult to crack.
Can hackers find my password through the Facebook leak?
No, the Facebook data breach does not include leaked passwords. But hackers can use personal data to manipulate users into sharing more data.
“Such information could be used by criminals to engage in phishing campaigns and abuse password recovery functionalities that could still result in unauthorised access to a person’s account,” a police spokesperson said.
Police have yet to receive any formal reports related to the link but say they are monitoring the situation.
‘Phishing’ is a technique used by online fraudsters that seeks to extract personal information from a user by tricking them into thinking they are providing that information to an authoritative source, such as a bank or postal service.
Hackers could use email addresses, names, addresses and other data extracted from the Facebook data leak to put together emails from fraudsters posing as friends or bank clerks, for example.
These scamming attempts, known as ‘social engineering’ attacks, usually aim to obtain access to bank accounts or online wallets to transfer money out of the victim’s funds, or steal one’s identity to obtain privileged access to a restricted website.