Attackers have found ways to counter SMS-based codes, and their attacks are getting both easier and cheaper
Over the holiday weekend, we learned that over half a billion (533 million) Facebook users' personal data, including phone numbers, was leaked online. Facebook themselves confirmed the leak saying that it was a result of a vulnerability they fixed in 2019.
While the vulnerability and the theft may seem “old news” because it was nearly two years ago, this development means Facebook users whose data was stolen in 2019 are at greater risk now because of the leak and should take steps today to better protect themselves from it.
The reports indicate the data includes: phone numbers, Facebook ID’s, full names, locations, birthdays, biographical information and some email addresses for users from around the world. A listing of the number of each country's users impacted can be found here.
The loss of phone numbers associated with emails is particularly worrisome. The odds are good that for many people, their phone number and email combinations are the same for that of SMS-based codes to log in to those same email accounts. This means those users are at increased risk for attackers to try “SIM swapping” to redirect SMS-based codes to devices under their control and get access to the target’s email. Because email accounts are where "I forgot my password" resets go, this is the easiest, most efficient and effective way for attackers to take over your digital life by first hijacking your email account and then using that to take over your other accounts.
“SIM swapping” attacks are increasing in frequency. They’re also becoming easier to carry out.
Facebook hasn’t notified users whose data has been stolen and there’s no simple, safe way to tell if you’ve been affected. Because of this, if you had a Facebook account in 2019, you should assume your data has been lost and take steps to better protect yourself.
The single best thing you can do to protect yourself is immediately move your email account from password only, or password and SMS-based codes to using an authenticator app like those offered by Microsoft and Google. Switching to an authenticator app can mitigate the SIM swapping risk: it removes your cell phone/SMS number from the equation entirely. You can use either authenticator for your email as well as most other apps and services that support authenticator apps, so in most cases, you only need to have one authenticator app for all your accounts (not just email).
There are other risks you can face from this as well — notably, phishing attempts via text message, sometimes called “SMishing”. Again, with your name and email address together with your phone number, it can be easier for attackers to know how to target you with these kinds of phishing messages. Plus, it’s harder to tell fake from legitimate SMS messages because there’s so little information in text messages.
At the very least, you should be extra cautious of the SMS messages that you receive after this data leak.
If you’re someone who could be a higher-value target to attackers — such as a politician, government worker, or a member of the police or military — and you still have the same number as you did in 2019, you should consider changing your phone number and putting any protections against number changes and SIM changes in place with your carrier that you can. Those who are particularly high-value targets may want to have a practice of changing cell phone numbers regularly (but not on a predictable schedule). It's worth noting that the United States Secret Service reportedly did this for then-President Donald Trump as a security tactic, since he regularly made use of commercial cell phones.
Moving to an authenticator app is increasingly a recommended best practice in the security community, as attackers have found ways to effectively counter SMS-based codes and their attacks are getting easier and cheaper for them. At this point, it’s really a question of “when” not if people move off of SMS-based codes to authenticator apps. This latest sizable data breach for Facebook can and should be a motivation for many people to do so sooner rather than later.