Facebook continues to be involved in all kinds of security scandals. A few weeks ago, more than 530 million user data of the platform were made public, including the phone numbers of 11 million people in Spain, associated with data such as full name or place of work. Now, when they are just recovering, it seems that there is another leak.
This Tuesday, a cybersecurity researcher published a video showing a tool called Facebook Email Search v1.0 , with which you can discover any Facebook account associated with an email . All you need to do is enter your email address, and your Facebook account will be returned to us.
Know a person’s Facebook account with just their email
The bug is still active on Facebook , and the researcher has decided to publish it after Facebook claimed that the vulnerability was not important and was not even worth fixing. Following the publication of the video, the company has acknowledged that it appears that they “closed the investigation prematurely by mistake before assigning it to the appropriate team.” After that, they affirm that they are working to solve the vulnerability that appears in the video, which has not been published to prevent the attack from replicating.
At the beginning of the year, Facebook fixed a vulnerability with a mechanism identical to this one, but in this second case they decided not to fix it. The fault resides in the front-end of the platform, but they have not given more details about it. The researcher has successfully tested the tool, which is now being distributed among the different hacking communities. Among the uses being made is spying on Facebook groups trying to take control of accounts with phishing emails, as well as Facebook ad accounts to obtain money.
It is possible to associate 5 million accounts with emails every day
The researcher bought 250 newly registered Facebook accounts for $ 10, and was able to see how, by entering 65,000 emails, he obtained results for a large part of them. As he has calculated, it is possible to do this for 5 million email accounts a day .
Facebook has emphasized in recent years to differentiate between scraping techniques and hacks as such. Scraping is something that they have allowed for years, where through their API it was possible to collect public and not so public data from user profiles, such as name, likes, preferences, etc. Through vulnerabilities it has been possible to know the telephone number, and in this case it has also been possible to know the accounts associated with each email. Therefore, it is not about scraping, but about vulnerabilities in all their letters.
The DataNews medium had access to an internal Facebook email, in which the company communicated to its employees that they hope that in the future there will be new controversial cases related to the use of scraping techniques. And without a doubt, this vulnerability will lead to the creation of new databases. If you don’t use your account, it may be a good time to unsubscribe from Facebook.
Thus, with this bug it is now possible to discover which Facebook accounts are associated with each email. If we combine this data with the leak of a few weeks ago, it is now possible to know the email, full name and telephone number of a person, as well as their corresponding account ID.