Social media is a place where many of us go to share our personal lives and opinions with family, friends, coworkers, old high school acquaintances, and many, many other people across the country and across the globe. From pictures of our children to political opinions, social media tends to be a place where people feel safe to share whatever it is that they feel they’d like social circles to know about it. However, it is apparent that we should not have had such faith in these networks, as the companies that own and operate these sites have not been good stewards of our data. In the first half of 2018, data breaches on social media sites made up over half of all total data breaches — this equates to over 117 million records exposed. In the first four months of 2021, this number of records exposed has already been more than quadrupled just between just two data breaches that have been discovered between Facebook and LinkedIn — totaling over 1 billion records exposed. In order to be safe when navigating these and other social media sites, it is important to know what happened in both of these cases as well as helpful tips for how to better protect yourself in the likely event that another networking site you use encounters a data breach in the future.
Facebook Data Breach
In early April of this year, it was discovered that 533 million Facebook users had their data leaked onto the Internet via a data breach. The leaked data included information from users in over 106 countries, with the US being the most affected country at 32 million records having been exposed. The details in this data breach included full names, where users live currently, birthdays, email addresses, and Facebook-specific IDs, among other data. The biggest issue with this particular breach was a vulnerability detected that showed the users’ full phone number and associated it with the other information that was found. According to Business Insider, a representative for Facebook said that the data had been “scraped because of a vulnerability that the company patched in 2019.” Though the information was breached two years ago, this information is likely still accurate for many folks using Facebook today and could be used to steal other information from these people. This data breach acts as an example of how many social media sites do not treat our private, personal data with as much care as we would like. A company lacking in cybersecurity is the business acting negligent when it comes to customer data — LinkedIn is another social networking site whose users were impacted by a massive data breach.
LinkedIn Data Breach
LinkedIn’s recent data breach exposed 500 million user accounts’ data was for sale on the dark web. This was a similar incident to the Facebook data breach in that malicious actors scraped data from public profiles and put it out on the Internet for sale for whatever mischievous uses bad people could come up with. This data breach also mirrored the issues experienced by Facebook in the types of information that was exposed — LinkedIn IDs, email addresses, phone numbers, and location as well as businesses that people work for currently or have worked for in the past as it is common to have this information posted on this professional networking site. LinkedIn management addressed this issue and in their statement said, “Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.” Data scraping is the process of users of a site taking down information and saving it locally to their computer. This is a major risk to businesses and users of these businesses alike and action must be taken by companies that operate online to ensure that it is safe for people to access the website.
- Keep passwords updated — Update your passwords regularly for all sites that you use. In the Facebook data breach discussed above, the information that was stolen in 2019 was not leaked for two years. Many of these users still used the same login information for those two years and likely even longer. For those who changed their password at least every six months (the typical recommended time frame to update passwords), though things like their emails and birthdays were exposed, the password information was useless to those who found them.
- Do not use the same password for multiple sites — Not only should passwords be updated often, but users should use unique, hard-to-guess passwords for every single site. If someone used the same password or a variant of the same password that was similar and their information was leaked in one of these data breaches, not only would the information available on that site be compromised but information on all websites with that or similar passwords would be compromised.
- Utilize Two-factor authentication whenever possible — Two-factor authentication or multi-factor authentication essentially means that you have more than one way to prove that you are who you say you are. For many websites, this will be in the form of a traditional password used with an ID and a code texted to your number or email on file. This allows to validate in real time that you are a legitimate user trying to access your account rather than someone pretending to be you.
- Be cautious with what you share — As mentioned before, social media is a place where many of us feel comfortable sharing the big and small events in life that we’re happy or proud or feel compelled to talk about. However, it is obvious that these sites are not as strongly protected when it comes to cybersecurity. In the event that a cybersecurity event such as a data breach occurs again, everything that you have on that site will be at risk of exposure. A good rule of thumb when it comes to social media usage is to share only what you are fine with the world knowing, not just your intended audience. Though you may think a post will only reach your contacts, do not share anything you’re not willing for the world to know.
- Tip for Businesses to avoid data scraping: Use validating services like CAPTCHAs — As we saw in the issues of these two data breaches, data scraping poses a vulnerability beyond the cybersecurity issues that a company has to deal with on its own. Data scraping is often done by bots, so using something like CAPTCHA that will be able to differentiate between a bot and a human being can help to lessen the likelihood of data scraping significantly.