267 million Facebook users exposed by Elasticsearch breach

This Social Media Data Breach Exposed 267 Million

In has become so frequent it might almost bore us. A data breach exposed the identities, account information and contact data of 267 million users. If it didn’t expose hundreds of millions of people to identity theft and account takeovers across thousands of other internet sites, we could be forgiven for ignoring it.

Facebook Yet Again Exposes Hundreds of Millions of its Users

Earlier in 2019, the records of half a million Facebook users were found on the Amazon cloud. This autumn, phone records of over 219 million of its members were exposed yet again on an unprotected server. Now, it has been revealed that 267 million people had their usernames, telephone numbers and other account information exposed on an Elasticsearch server where the data was scraped by hackers from Vietnam. The data appears to focus largely on US users of Facebook.

This follows an Elasticsearch data breach earlier this year of over 1.2 billion users from a variety of websites including Facebook, Github, LinkedIn and Twitter, some of the most popular social media websites on the Internet. This recent data breach applies just to Facebook and their database was indexed on December 9 and posted online on December 12. The data appears to have been harvested using Facebook’s API or by scrapping the Elasticsearch servers hosting Facebook user data.

Elasticsearch: A Search Engine Adopted Across the Internet

Elasticsearch is name you’ve probably never heard of but doubtless used countless times. The company provides a search engine used some of the most popular websites on the Internet from Facebook to Netflix. At its most basic level, Elasticsearch allows users on these websites to search within those websites much like Google allows users to search across the entire Internet. What users don’t see are the tools provided by Elasticsearch to those websites to learn about their users. Tools that provide websites with data analytics and visualization, performance monitoring and more.

In order to get useful data about their users’ searches and thus, their patterns of behavior and their desires, websites need to effectively expose their entire databases to Elasticsearch. This explains why the websites that use Elasticsearch make themselves vulnerable to a data breach of Elasticsearch. That’s just what happened here. A data breach of Elasticsearch – a company you’ve probably never heard of – exposed you if you are user of Facebook or one of many other sites.

Facebook Protection Arrives Too Late

The indexing and downloading of the Facebook database by the Elasticsearch hackers appears to have taken place just before Facebook implemented changes to restrict access through its API to users’ phone numbers and other information. Scraping user account information is against Facebook’s policies but can be done with ease if users have set their Facebook profiles to be Publicly visible.

As indicated the majority of the exposed Facebook users appear to be based on the United States. Whether this is by design of a happy accident the Vietnamese hackers have captured the most valuable users on the Internet. Facebook has advised users to adjust their privacy settings to Friends and set the “Do you want search engines outside of Facebook to link to your Profile?” to “No”.

What this Means for You

MyProfyle wants people to know that the Facebook database can now be used for Phishing and social engineering campaigns and may expose a much border range of websites that users’ log into using their Facebook credentials. We recommend users adjust their Facebook privacy settings as they describe above but we also recommend users take one step further and discontinue using login with Facebook and make password changes to those websites.

MyProfyle reminds its users that exposure by data breaches like these will continue and there is no way to effectively protect yourself from them because such breaches happen not only with the companies you explicitly share your information with but with all the third parties those companies deal with. Become a Free Basic MyProfyle member today and learn more about risk factors like these so that you can take the appropriate steps to protect yourself and approve of reject use of your identity.


6 not so obvious things about Elasticsearch (Medium article)

Digital Trends


Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to you