It has recently been made public that personal data belonging to over 500 million Facebook users and over 700 million LinkedIn users had been leaked and proposed for sale on hackers’ networks.

For each us, this means that it is highly probable, that our name, email, phone number, and probably more personal information are available for a small fee to hackers worldwide. A hacker having data such as a person’s name, email address, phone number, and additional information such as the city of residence, education details, employer, job title,... is in a position to perform ID theft acts and to impersonate the legitimate user. These data will be usable by numerous malicious fraudsters to access our accounts, to build more efficient phishing scenarios, to perform financial attacks, etc. Moreover, being able to collect user details, hackers can launch SIM swapping attacks in which they obtain from mobile network operators the association of your phone number with a new SIM card they own. This way they can impersonate you in payments when the transaction is validated by a standard 3DSecure procedure.

What is interesting is that these attacks have not been executed by gaining access to a central database or repository of data. They have been performed by using a combination of brute force attack and screen scraping. When Facebook offered its users to find their friends through their phone number, in 2018 and 2019, hackers just presented tons of randomly generated phone numbers to the system, and for many of them received answers including full profiles associating a phone number, with the name of its user along with many other parameters, that they could retrieve using screen scraping. Recently, when a hacker offered for sale the details of over 700 million LinkedIn users, it has appeared that the data, including full names, email addresses, phone numbers, workplace information, and more had actually been scraped from LinkedIn screens, according to CyberNews.

To know if your account is endangered, several personal data leak checkers are available, for instance Have I been pawned? or CyberNews. Then, the best recommendation is to be alert to “social engineering attacks” in the coming months. Of course, you should change your passwords, using longer and more complex passwords, such as the ones generated by password managers. Some users, may even want to go to the extent of changing their phone number.

But we need better solutions to be deployed globally! The secure transactions industry has solutions to these issues! Passwords are definitely not the best way to protect data: the industry proposes a full palette of solutions to authenticate users, either through the possession of a physical object, as in the Fido model, or by biometrics as is increasingly the case on smartphone-based applications. The issues with 3DSecure are on their way to being solved with the adoption, at least in Europe, of SCA, Strong Customer Authentication. SIM Swapping issues also have a solution thanks to the deployment of eSIMs, and later iSIMs, that can be under remote management to guarantee their use as a security item. So, what are we waiting for?

Photo credits: Sebastiaan Stam from Pexels - Senor Sosa on Unsplash - Annie Spratt on Unsplash