While nearly 30 million Facebook users had their names and basic contact information stolen, about 14 million of these data breach victims also had their birthdate, recent search history and locations compromised. Fraudsters are likely already using this information to help crack security questions on consumer accounts as well as to better target phishing emails and other scams attacking these recent breach victims.
Breaches involving Social Security Numbers or payment credentials can be the most immediately damaging to consumers, merchants and card issuers. After major breaches have compromised this type of information impacting hundreds of millions of consumers, the recent Facebook data breach may not seem like, relatively, that big of a deal.
We may be suffering from “data breach desensitivity” but the recent Facebook data breach is meaningful. Many of the victims can expect to receive phishing emails and even direct phone calls purporting to be from their card issuing bank or financial institution.
Leveraging a Facebook user’s location “check-ins” fraudsters could create lists of consumers to target, alleging to be a card issuer or bank the fraudsters can say they’ve seen suspicious activity on their card account and verify if the transaction they made at their most recent check-in location was legitimate. Knowing they did make a transaction at this location, the victim will be more inclined to believe it really is their bank calling. From there the fraudster can make up other transactions the consumer won’t recognize, then ask for the consumer to confirm their card number or other identity information like their Social Security Number.
Phishing scams can become more targeted as well, leveraging Facebook search histories and personal information to seem more legitimate. At the very least, fraudsters will take information gleaned from breach victims Facebook profiles to try to crack passwords and security questions, leveraging information like birthdays, children’s names and their mother’s maiden name.
This will help fraudsters who already have troves of compromised email and password combinations, as they may be stopped with a security question when coming from an unrecognized device and IP address. This information will also help fraudsters compromise more accounts, using it to get past security measures as part of a password reset process.
Fraudsters are clever and resourceful. Although the Facebook data breach didn’t compromise information as immediately monetizeable like SSNs, payment card or bank account credentials, it does provide fraudsters with more resources to leverage to aid in identity fraud, account takeover, phishing and other scams targeting the Facebook data breach victims.
Facebook has posted a web page where users of the social media platform can see if, and how much of, their personal data was compromised.
For more information: