The previous installment in our series on the collateral damage, which a data breach can wreak upon individuals, we considered the profound possibilities of a credit card data breach. This article reviews the potential damages that can occur with a social profile data breach.
The information on your social media platform may not seem like a big deal … after all, who’s really going to care if your first dog’s name was Buffy or if your favorite 80s rock band was The Replacements, Queen, Guns N’ Roses, AC/DC, U2, or Bon Jovi? You might not think such information is a big deal. But to cybercriminals, that “trivial” information could be worth more than your credit card number and expiration date. Hackers are intruders by profession and are not interested in defacing your Facebook page, forcing you to follow someone they are trying to promote, or compelling you to share a link for laughs. In the world of cybercrimes information is money – and complete profiles on individuals constitute a virtual gold mine.
The answers to the security questions you use to recover your password or to verify your identity over the phone will most likely be the same “trivial” information recorded somewhere in you online social profile. When cybercriminals have your social media username and password they have much more than access to information that you probably use frequently – word to the wise, maintain strong passwords that are difficult to decipher, or become targeted by Brute Force or Dictionary cyberattacks. They have access to your relationships, your preferences, your history, and anything else you’ve entrusted to the social platform.
Facebook User Profile Data Left Exposed Until 2019
While it was not as controversial as the 2018 Facebook-Cambridge Analytica scandal, during the first quarter of 2019, security researchers found exposed data on Amazon cloud computing servers. A third-party Facebook app, Cultura Colectiva, left a total of 540 million records open to anyone that could find them online.
Compromised information includes identification numbers, account names, comments and reactions. Facebook had Amazon close the account down after Bloomberg notified them of the exposed database. The extent to the user privacy that may have been compromised is not clear, but the breach revealed that the company was not aware of how third party applications used and stored consumer data.
Data of 52.5 Million Google Social Media Users Exposed by API Bug
Towards the end of 2018, Google+, the technology company’s social media application, succumbed to an API bug that exposed the data of 52.5 million users. While there was no evidence that the data was further manipulated, the data breach forced the company to expedite its shutdown of the social media service, pushing the turnoff date from August to April of 2019. Google also cut access to its APIs within 90 days of discovery.
Compromised data includes names, ages, email addresses, and job title. While the data was not as sensitive as payment or Social Security numbers, a hacker can take the data and manipulate to cause even greater damage. S/he may also put the data up for sale on the internet. Google notified users of the breach, but not much more could be done about it once the damage was done.
Nearly 360 Million Records Exposed in a Massive Social Profile Data Breach
On May 31, 2016 Myspace publicly confirmed that their servers had been breached. According to news stories, nearly 360 million usernames and passwords from the social media platform were dumped into the public domain. While officials at Myspace have downplayed the extent of the incident, at the time, it was one of the largest data breaches in history. Furthermore, even though the data stolen was from before 2013, the sheer size of the data dump makes this one of the most significant social profile data breaches ever. In case you’re wondering what cyber criminals might do with that “trivial” information, here’s some of the potential forms of collateral damage that can befall an individual:
Exposure to Targeted Spear Phishing Attacks
The more precisely an attacker can develop a complete profile on an individual, the more targeted the phishing attack that can be developed. If, for example, the attacker learns that you recently took your relative to the vet, through social engineering, it would be relatively easy to send an email in the name of the medical provider and reference your relative’s name in the subject line. Such an email will either ask you to verify your payment credentials or will allow malware to be loaded onto your computer for additional attacks. Depending on how effective the email is, a hacker may convince the recipient to reveal their private, sensitive data.
Compromised Security Information Leading to Additional Cyber Attacks
A social profile data breach may expose your security accounts containing more sensitive information. Cybercriminals may also make additional infiltration attempts through password verification or phone verification attacks.
Damaged Personal Reputation
Your social media accounts can be mined for personal information useful for launching a smear campaign against you, or to embroil your reputation through innuendo and implications to your social contacts.
When a social profile data breach occurs – or a username/ password breach of a social media platform – you may not readily know the extent of the damages. Your usernames and passwords can be changed, but not your picture, relationships and personal history. This form of data is a gold mine to patient criminals if they can attach this data to your new username and password. Even if not, there is still enough information contained in most social profiles to expose you to significant collateral damage for years, if not decades. One or two years of credit monitoring and a change of login credentials will not prevent the collateral damage of a social profile data breach. Who will these individuals be able to look to as a responsible party for the damages to which they are exposed?
ThreatModeler Helps Organizations to Keep Communities and Social Media Channels Secure
ThreatModeler is a cutting-edge platform that takes the guesswork out of building scalable threat models. Over the course of a decade, ThreatModeler has pushed the boundaries of automation and cloud integration, differentiating itself as a reliable platform that helps DevSecOps teams to achieve operational efficiency, collaborate on application development and make informed security decisions. To learn more about how to secure your application, we recommend registering for a demo by a threat modeling expert. You can also fill out our contact form.