The SecurityMetrics Threat Intelligence Center has observed a disturbing trend over the past few months of businesses downplaying the severity of data breaches using a variety of tactics and techniques.
Downplaying severity and keeping customers in the dark
Recent data-scraping breaches in the news from Facebook, LinkedIn, SITA, and Clubhouse showcase the techniques companies use to downplay severity. When companies use these tactics, they make it easier for threat actors to carry out more attacks, including social engineering and phishing. In this article, we will discuss examples and consequences of data scraping breaches and give tips on how you can be more vigilant. What makes these disturbing trends even worse is companies that continue to pay ransom demands as in the case with the recent Colonial Pipeline breach and many others. When companies pay the ransom, it often incentivizes threat actors even more since they know they will get paid.
Oftentimes the statements, responses, and notifications (if any) to customers downplay the severity of breaches. They use carefully crafted statements that focus on calling threat actor techniques like data scraping “commonplace,” and deflect blame onto members for sharing their data in the first place.
Some press releases go so far as to claim that “no breach or hacking” took place and take zero responsibility, others claim the data was scraped by threat actors from public profile information in their own app, which anyone can access via the app or their API. Worse yet, in some cases, these press releases go down a path of victim blaming (or shaming) you for sharing your information in the first place. The precedent setting behavior of companies involved is irresponsible, dangerous, and creates an atmosphere of gaslighting.
“This was not a breach”
A recent Facebook breach exposed data from over a half a billion Facebook users from 106 countries. Facebook says the data was scraped because of a vulnerability the company patched in 2019. The data dump posted on a hacking forum included Facebook IDs, phone numbers, full names, locations, birthdates, biographies and some email addresses.
Facebook downplayed the severity of the incident, claiming the breach was not really a hack but data scraping, which Facebook positioned as a common threat actor tactic that relies on automated software to lift public information from their site. There was no mention in their press release of what users can do to be more vigilant in the face of increasing social engineering attacks.
This HSBC Bank fake SMS text message is the perfect example how a Facebook-affiliated phone number would be used to socially engineer you.
Days after the Facebook data leak, LinkedIn downplayed the leak of 500M users’ found for sale on a dark web forum. This data included full member names, email addresses, phone numbers, workplace information, job titles, and other pieces of confidential data. A statement from LinkedIn confirms their response as just another day in the office. In a carefully crafted two-paragraph statement, LinkedIn reminded everyone that their profile data was publicly viewable, even though you must be a member to see that data. The statement also reiterated the consequences for threat actors who scrape “our members’ data” and violate the terms of service. No mention is made of what threat actors use this scraped data for: usually social engineering, phishing schemes, or identity theft.
Recently, drop-in audio firm Clubhouse had a data scraping breach, which was again downplayed in a similar manner. Clubhouse released a press release that was similar to Facebook's.
How to protect yourself and stay vigilant against data scraping
Since these companies are choosing not to notify customers when data has been scraped, you should take a defensive approach. You can find out if your email or phone number has been caught in the recent Facebook breach, or any of the other breaches, by visiting the website Have I Been Pwned?
If your data was found in any breach, this website will tell you and recommend that you change your password. You should also ensure that you're not using the same password over and over for other websites or apps. Many people use the same password for their email, Facebook, Netflix, Amazon Prime, and other accounts. If this is the case for you, you should change your account passwords. To help you keep track of all your passwords, consider using a password manager.
Next steps for security
Anytime a database the size of LinkedIn and Facebook gets scraped, social engineering is the greatest threat you will face, since many of these breaches involve private information like phone numbers and job titles. This article highlights how threat actors are using social engineering techniques on LinkedIn by sending job offers using phishing with your actual job title in the heading.
Phone numbers are highly beneficial to threat actors and make it easier for them to perform social engineering attacks like SMS phishing text messages.
Learn how to recognize social engineering and train employees on what to do with resources like How to Recognize a Phishing Email and The 2021 SecurityMetrics Guide to PCI DSS Compliance.