(by Federica De Stefani, lawyer and head of Aidr Regione Lombardia) In 2019 the data of over 500 million registered users on Facebook ended up in the hands of hackers: the data breach is now a couple of years old, but the concern it arouses this subtraction is extremely current.
In fact, despite the time that has elapsed, those data still represent a real and concrete danger for the subjects from which they were stolen as they could be used for illegal purposes.
The violation, as mentioned in 2019, was caused by a flaw in the security system and made available personal data (including name and surname, e-mail address and telephone number) of millions of users belonging to different countries .
The data had circulated in some hacker forums, Facebook had declared that it had solved the problem already in August of the same year and the leak had not aroused much media attention, most likely due to the difficulty with which the data offered for sale could be consulted. and used.
Earlier this year, however, that same data was used as a database for a Telegram bot that made it possible, at lower prices and with a much easier to use system, to trace the number to the account ID. Facebook by entering the mobile number (and vice versa).
In recent weeks, the data have finally been made public free of charge from multiple sources.
It is evident, at this point, that the damage has been done, the data has been stolen and are (potentially) exposed to illegal use.
So what to do to limit the possible negative implications as much as possible?
If the general rule is to enter as little information as possible on social networks, you need to understand how to protect yourself where, as in this case, the data breach has already occurred and you have to run for cover.
Let's start with the type of data that were affected by the violation.
Email address and telephone number in the first place.
It goes without saying that as far as e-mail boxes are concerned, it is necessary to focus one's attention on passwords, modifying them using systems that can guarantee a high level of security.
Therefore, it is absolutely forbidden to create passwords that contain personal information, directly linked to the person in question or family members, pets or anniversaries, nicknames, favorite teams or sports practiced.
Better to opt for a "passphrase" system, which allows you to generate an alphanumeric code that can be linked to a phrase chosen by the user and can easily remember, or a password manager that allows you to generate passwords with a high level of security without having to deal personally of the memorization of the same.
It may seem obvious, but the password is the vulnerability to which the majority of people are still most exposed today if we consider that according to the most recent studies the most used passwords in 2020 were "123456" "password" and "qwerty" (for the latter check the sequence of keys on the keyboard of any pc).
Again with regard to e-mails, it is essential to check the sender very carefully because very often the addresses used for scams are similar and can be misleading, diverging from the original, perhaps for a single character. It is therefore necessary to carefully check the extended address, also paying attention to the type of message received. Requests for data, to access links, to download attachments must be treated with extreme caution, carrying out a double preventive check, perhaps by calling the sender with a phone call to ascertain the veracity of the message and the request contained therein. It is essential to approach with the same distrust even requests for data that may be contained in text messages or made verbally by those who contact you by telephone.
As for the telephone number, however, it is essential to monitor any anomalies found on your mobile number.
In the first place it is necessary that any irregularity in the functioning is verified through your telephone operator, but it is also essential to pay attention to all those messages that can, in some way, steal (further) data useful to the criminals to achieve their intent, returning once again to requests for personal data, authentication codes or secret passwords for the activation of specific services.
It is also advisable to delete from Facebook (and other social networks
network) your phone number, using other methods for two-factor authentication, certainly not from a security perspective, but as a prevention for the future.
Finally, for those wishing to verify if their email has been the subject of a data breach, not necessarily that of Facebook, it is possible to consult the site https://haveibeenpwned.com/ which allows you to identify any violations in which your address was involved mail.