LocalBlox, a private intelligence agency, scraped profiles from Facebook, LinkedIn & Twitter
A private intelligence agency accidentally leaked over 48-million user profiles when it left them exposed on an Amazon Web Server. The company, LocalBlox, scrapes data from social media sites like Facebook, Twitter, LinkedIn and Zillow. The data was stored in an Amazon S3 storage bucket that was not password protected.
That’s fairly egregious.
Of course, this is nothing new. The entire world has been abuzz after Facebook disclosed that its now-defunct Graph API allowed pretty much any app connected to it scrape the profile data of users and their friends. Cambridge Analytica was the firm that got all the headlines given their political nature. But make no mistake, there are thousands of apps and companies that scraped data through that API. Some of the businesses behind those apps are no longer operational, too. Who knows what happened to that data. One expert compared the situation to what happens to nukes when a nuclear state fails. Who knows what’s happened to it, where it will turn up or what bad actors have obtained it.
And frankly, LocalBlox isn’t even the first company of its type to have this kind of issue. Last year nearly every single voter record in the United States was compromised when Deep Root Analytics leaked them.
“Massive breaches through unsecured AWS S3 buckets continues to be a troubling trend,” said Javvad Malik, a Security Advocate at AlienVault. “While cloud providers take care of certain aspects of security, it is imperative that organisations ensure they are doing their part to ensure the security of data that is uploaded. As with other aspects of security, cloud environments need to be continually monitored and the security assessed.”
The data was discovered by Chris Vickery, the same guy who discovered the Deep Root Analytics leak.
“Part of what they did was take the Facebook search function and put in a special query related to phone numbers, email addresses and such and gathered a lot of information on people, just automatically like a bot,” Vickery told ThreatPost at RSA.
LocalBlox claims to offer “the world’s most comprehensive cross device identity graph on businesses, consumers and geo audiences.”
It used the data it scraped across various social media networks to create digital profiles on 48-million people. As I mentioned earlier, Facebook has closed the API that was abused, but we will never fully know the scale to which it was exploited. The pressing question isn’t what data Facebook has on you, it’s really how many other entities has Facebook shared that information with. Up until now, Facebook hasn’t just been collecting its own data it’s been serving as an output for various shady firms and organizations that are compiling it along with data taken from other sources to create surprisingly in-depth dossiers on pretty much anyone with a digital footprint.
“The data captured was interesting in that it consolidated personal information scraped from thousands of web sites,” Christopher Littlejohns, an EMEA Engineer at Synopsis told Information Security Buzz. “The net result is that it made it easy for an attacker to gain access to a pool of data that would be valuable for subsequent social engineering attacks, account hacking and identity fraud. Any company that collects, consolidates, but does not adequately secure such data is essentially exposing people to higher risk of being targeted.”
Here’s the thing, there’s really not much you – as an individual – can do to protect yourself from this kind of stuff. While Facebook and many others across the social media sphere are making changes to better protect personal data, the toothpaste is already out of the tube. If you’ve been using social media your data has likely been compromised to some extent. And even if you’re not, Facebook can identify non-users in the pictures its members upload.
While we should never stop fighting for our digital rights, it may be time to admit that when it comes to keeping our personal data from being compromised, that ship has already sailed.
Here’s a video of Chris Vickery, who discovered the leak, discussing it with ThreatPost at RSA yesterday.