Days after the MobiKwik data breach incident, wherein, 3.5 million MobiKwik users’ KYC details were allegedly leaked, another major data leak event concerning Facebook seems to have hit the Indian shores along with 106 other countries. Alon Gal, CTO of cybercrime intelligence company Hudson Rock and the first to discover the data leak, stated that the personal details of nearly 533 million Facebook users from 106 countries were allegedly leaked and posted for free on an underground hacking forum. The leaked details included users’ PII, including full names, gender, occupation, marital and relationship status, date of joining, and place of work.
A New Discovery Linked to the Old?
The database, which was first found in 2019, had leaked 419 million records. However, Facebook claimed that it had fixed the vulnerability and the case was closed only until January 2021, where an updated version of the same database resurfaced on a popular messaging platform, Telegram. The data was initially being sold on Telegram using a bot for a minimal fee of $20 per search. Gal previously said, “It was severely underreported (in 2019) and today the database became much more worrisome.” The vulnerability was the same. It allowed users to search for a person’s number.
However, three months later, on April 3, 2021, Gal once again shared the details of the leaked database, and alerted Facebook users that “it is extremely likely the phone number used for the account was leaked.” According to the database of the latest alleged leak, details of as many as 1.2 million from Australia, 3.8 million from Bangladesh, 8 million from Brazil, 32 million from the U.S., 11 million from the U.K., and 6.1 million from India had been put up for free on several darknet forums.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
India Needs Data Protection…Now!
As mentioned earlier, this is the second major incident in just a matter of few days where the data privacy and data rights of Indian citizens have been flouted repeatedly. India needs a strong user data protection bill and hefty fines for those not adhering to it. The Personal Data Protection Bill, which is said to contain these provisions is still in the works since 2019. However, we look up to the future in hope as the Joint Parliamentary Committee, which is responsible for drafting the bill, is said to be set to present it in the first week of Parliament’s Monsoon Session.
To Read more about India’s first Data Protection Bill, click here.