Another year, another Facebook data breach. Last week, 533 million Facebook users had their data leaked online—names, phone numbers, locations, birth dates, and email addresses.
Of course, Facebook is downplaying the problem, saying it is an old breach that was fixed two years ago.
After numerous privacy issues and fines by the FTC, we’re skeptical that this is the last privacy scandal from Facebook.
How big is this data breach?
How likely will there be another?
Why is Facebook so vulnerable to data breaches?
Should we keep trusting Facebook with our personal information or are we—to paraphrase 19-year-old Mark Zuckerberg, “dumb f*cks” for placing faith in the social network?
Another year, another Facebook data breach. Last week, 533 million Facebook users had their data leaked online—names, phone numbers, locations, birth dates, and email addresses.
Of course, Facebook is downplaying the problem, saying it is an old breach that was fixed two years ago.
After numerous privacy issues and fines by the FTC, we’re skeptical that this is the last privacy scandal from Facebook.
How big is this data breach?
How likely will there be another?
Why is Facebook so vulnerable to data breaches?
Should we keep trusting Facebook with our personal information or are we—to paraphrase 19-year-old Mark Zuckerberg, “dumb f*cks” for placing faith in the social network?
Henry : Hey everyone. It's Henry, Mike, and Chris of the Decentralize. We've got an interesting hot topic this week, interesting because what happened over the weekend regarding Facebook turns out it's a, I guess you'd call it the mother load of all leaks. Only half a billion records leaked from their databases. So Mike, can you start us off with this sad tale?
Mike : It's not that sad, it's funny when we were just talking before we were setting this up and Chris, was mentioning that he's like, I was starting to lose faith in the world that Facebook wasn't going to have another breach because it's been so long since they've had one, it's been about a month.
Henry : But he got an Easter egg, didn't he?
Mike : Exactly, it's so funny, I think there's a reason why they have this old adage, the bigger they are, the harder they fall. And part of the challenge, one of the things that strikes me about this breach okay, and then I'll get into the details of it. But one of the things that strikes me, it's half a billion, what is that the population of north and South America combined? It's half a billion and so you start to think about like, and believe Facebook and their numbers that's only a quarter of the users. And the fact that you can literally go onto a site and download that list is what the problem is.
Henry : Well, hold on, what do you mean? So there was a leak, you going to have to explain it.
Mike : I'll explain, it's a little bit complicated, but it's not that complicated okay. So, what happened was, is there was a, a hacker called Under the Dark, I think, that's the pseudonym that this hacker uses and he's a well-known cyber security, they call them white hat hackers, okay. And he'd been kind of following a lot of these different sites, he follows all these dark web things and stuff like this. And so Adam Dymitruk, our CTO sends a note over on Sunday afternoon, and he was going through, standard it was called a Low Level Hacking Forum. Where some posted and said, here you go download for free 580 million records of Facebook users, okay that were scraped. Now this is important that were scraped in 2019, so the idea is, it is a file that you download apparently very structured where all these 580 million records are broken down by country.
So like, there's 40 million people in India and 6 million people in the UK and 50 million people in the US, etcetera. And so you could open it up and see all the people in the US and the UK and all this stuff and what it was is Facebook had, you hear these things called zero day exploits. Which there is a bug in the code that's been there since the beginning and so in 2019, this white hat hacker had called out the fact that there was a hacker or a group of hackers online, back in 2019 advertising for sale on the dark web, an automated bot hat utilized a zero day flaw in the Facebook membership list, software or solution, and would allow you to scrape. And this means going into a profile and taking the data, just like the Clearview AI guys took pictures.
They would scrape through this exploit your name, like it's some of these records, it's name, email, phone number, friends, family, birthday, literally their warning people that it's enough for people to completely impersonate you of, okay. And so, the two key things in this that struck me as I started to dig deeper into it is A, Facebook's response so far has been that data from 2019, that's a zero day X day exploit we found in 2019 and we fixed in 2019. Okay, so that zero day exploit by saying that they're trying to reduce the perceived value of the damage of this leak. But they're glossing over the fact that that means that this leak was there for 15 years.
Henry : Well, and I guess the fact that the data that they have is two years old or whatever. I mean, people don't change their names and they don't change their email addresses and they don't change their phone numbers too often.
Mike : Well, and that's the other one, is the phone number is the magic one Henry. The phone number is the one on identifier that A, nobody, basically 99% of people never changes it. Whereas, I don't know about you, but I have like three or four email addresses, if I want to join Facebook, I'll just set up a garbage email address and I'll go in. But the one thing I will do if I'm setting up Facebook, so I have a garbage email address that I may not care about, but if they require my phone number, like they do with WhatsApp, I'll give it to them. And so now they said that the reason why the first group that broke this leak, the way they validated that the leak was real and the data was real is they actually pulled, they went to their own friends, like in Switzerland, wherever it was that they found it and they looked up the Swiss list and they found themselves on it.
Henry : Get out of here.
Mike : They found themselves breached and the reason why they knew it was valid was because the phone numbers were valid because it could be me in a record, and an email address that's xyz123@gmail.com. I don’t care it's a burner email it may not be, and I've only used it for Facebook, so it's not gonna help anybody potentially but they still have my birthday and my friends and family and everything. This is a bad one and it's all because there is a centralized honey pot of data somewhere that somebody can steal and there are people out there that their only job in life is to steal this data from companies, governments, and clearly Facebook.
Henry : And that is, because that's the way the internet is organized these centralized hipots. Now, Chris, a, a question for you regarding all that is why would this information be available for free don't they make money by selling it?
Chris: I would imagine if it's been around for two years, the original hacker who got all this info probably got basically sucked the honey out of the honey pot. He sold it already, he got fat and then once he got fat, everybody else kind of had their turn, right now it's 2021 so the data's been available for two years.
Mike : And remember, it doesn't necessarily mean that the same hacker released it because back in 2019, when this was first discovered, a guy was selling the bot, remember. So, Chris, I could have gone online and bought that bot and scraped 500 million records and if my decision is to put it out for free, then I can do that, I'm a hacker...
Chris: Well, I just want to say that I haven't had a Facebook account for two years now.
Henry : I've never had one.
Chris: But I'm still concerned about what this data could reveal about me, because it's like you said, Mike, my phone number hasn't changed, probably in about 15 years, probably more. Facebook tends to kind of keep data, even when you delete your account. I remember Mike, when you deleted your account and you told me this, they asked you for your passport.
Mike : Yes.
Chris: A copy of your passport, so that you could delete your account, for the privilege of deleting your account, you had to share a personal piece of information.
Henry : There's nothing more personal.
Chris: Well, yes. You can't just all of a sudden change your passport. So, now I'm thinking and I'm wonder, geez do these hackers have Mike's passport now.
Mike : Totally.
Henry: Did you give it, Mike?
Mike : Are you kidding me? Absolutely not seriously, I was actually going to go look for some kind of novelty passport and try to send him a picture, like get a fake one made up of Zuckerberg. It's crazy, it's absolutely crazy, but this is the thing and, you know Henry and Chris, Chris, you've called this out a bunch of times, you know the old Zuckerberg quote, they trust me the suckers or the dumb I think they say, never mind we'll have to cut that out Henry, but you know what I mean? Like, it's the type of thing where this idea that this wonderful algorithm driven, curated content delivery, all of this wonderful stuff that they push down our throats is lull everybody into this false sense of security. And how many times do we have to see breaches like this before people start to say, what the heck? I need to get out of this.
Henry : Yes. You need an alternative.
Chris: You know, what's funny, Mike is that last Christmas we create a holiday email in which we at many, one gave recommendations for what to buy to the privacy conscious consumer. One of those recommendations super cheap if you only have a budget of 35 bucks, go buy a burner phone.
Mike : Yes, totally.
Chris: The funny thing is everybody thinks of that suggestion as being well, only criminals by burner phone. Well, no, if you want to go use Facebook, or Twitter, hey, a burner phone apparently now comes in handy.
Mike : Oh geez that's a disgrace.
Henry : So, Mike.
Mike : Yes.
Henry : This sounds familiar to the Cambridge Analytic fiasco in some ways.
Mike : Yes. And you know what? That's interesting because depending on how you look at it, the way that Facebook represents Cambridge Analytica is they accused Cambridge Analytica of scraping. So, I'm betting that this is the same exploit if Cambridge Analytica, in fact did scrape these 80 million records, then it was probably with this same tool that was used to scrape these 580 million. And because Henry let's all, remember, and Chris, this is a hacker who's released a file with 580 million records that doesn't mean there aren't four more files to come.
Henry : I hadn't even thought of that.
Chris: I guarantee there will be more, Mike.
Mike : Because, hey, look, think about it, if you're some hacker and you're going to run a piece of code back in 2019, you're going to get a piece of code, you're going to run it, it's in a freaking public forum so Facebook knows about it. Are you going to stop at a quarter of the records? No, you're just going to let it run and you're going to scrape them all, and this is just absolutely ridiculous. The fact that in one place there exists a data file that can be downloaded by anyone who has a web address in their hands. That has literally the personal identity details of what, 20% or 10% of the world's population.
Henry : Well, it's that's the inherent problem with the structure of the internet and centralized apps today.
Mike : That's right. Well, and it's clear that even with rules and regulations and ISO standards and all of this type of stuff, there's no way that you can keep on top of bugs you don't know, you have.
Henry : And I guess that's the nut of it, Mike, the fact that when people design apps, because we are human beings, nothing can be perfect so there's often a bug somewhere.
Mike : Well, look at this big one, look at the Microsoft exchange hack; it was a month ago or something like this, not that long ago. These breaches come so fast and furious, but they exposed the fact that Microsoft's exchange server, which has been their central core piece of their email program.
Henry : And every business uses it.
Mike : Everybody. Hell not just businesses, like, I'm using it to communicate internally and Walmart, I mean, phone companies use this. And it was exposed that there was a zero day exploit, much like this one at Facebook that had been in exchange since the beginning and that's what zero day means. And they were warning that something crazy like 66,000 companies could be affected and that just recently a couple of people I know in Europe have had their companies attack with ransom ware. And they're saying that this ransom ware, which usually comes from a Phish attack, which exploits, user credentials was most likely all of these ransom ware attacks are related to this exploit. This is how dangerous this stuff is and we don't even know, we're all walking around, carrying our phone, going to skip the dishes, you doing the Uber thing, all of this kind of stuff. And we have no idea that we're standing on top of landmines everywhere we go.
Henry : Yes, exactly. So, Chris, I got a question for you and then I want to hear from Mike. How do you think Facebook could potentially mitigate some of the damage?
Chris: Well, I don't think that Facebook can mitigate the damage because they play by the same playbook that they've done for 15 years, every year, they have a new privacy violation.
Henry : Or at least every year.
Chris: At least every year and every year, whole thing gets kind of swept under the rug. They say, hey, we're going to do better, hey, It was an accident. The pattern with Facebook is to punt the problem over to the user base, that's what they do. And essentially what this is like doing is, is it's like having a shop with no security system, you leave the doors unlocked or a bank, you have a bank without a security system and the saves are unlocked, the doors are unlocked there's no...
Henry : It's more like a bank with a vault where the passcode is 1, 2, 3, 4.
Chris: Exactly right. So, the criminals come in, they steal all the money and then the bank says, well, whose fault is it really? It's everybody who's chosen to bank with us.
Henry : Yes. Who put their money in there?
Mike : Yes, because it wouldn't have been stolen if you hadn't given it to us.
Henry : So Mike, do you think the Facebook, the monster has grown too big it now cannot be controlled?
Mike : It can't be controlled, there's no way, this is part of where regulation falls behind and things like standards and security and all this because the idea is that you cannot protect against A, a zero day exploit. All of these systems, antivirus security and event things, all of these things are based upon footprints of these exploits. So they find it, then they build an antivirus detector around it, and then they put it in your system. But if they don't know it exists, that doesn't happen until after it's been exposed and then they fix it pretty quickly. But here's an interesting thing that I want to kind of pause it out there for everybody. When Cambridge Analytica hacks, scrape, whatever was 80 million records and this hack or scrape is 580 million records. So if you do the math, does Facebook now face a 50 billion fine?
Henry : What was the original fine?
Mike : 5 billion they got fined for the Cambridge Analytical run and back then, and the whole idea was everybody was saying, that's a big fine, and Zuckerberg was like dropping the bucket, he doesn't care because they make a hundred billion a year off advertising but if they get fined 50 billion that's half of their annual revenue.
Henry : Yes, that's significant.
Mike : That is significant. And I've been saying for a long time, now that I think what's going to end up being the issue with social media is the fines will get to the point where they will not be able to survive if they continue to operate on this data hovering model.
Henry : Well that's the way it should be they can't afford to.
Mike : I agree.
Chris: But they can't pivot Henry because the, the whole reason that Facebook exists is to collect personal data.
Henry : Yes, you're right.
Chris: It's like saying to Coca-Cola hey Coca-Cola stop putting sugar in your beverages.
Mike : But back to your original question, what does Facebook do to mitigate this?
Henry : Yes.
Mike : Okay. So, here's what all of these folks are and have been doing for years to mitigate this eventuality. I think if you went into the hallowed halls of Google and Amazon, Microsoft, apple, Facebook, all of these big tech companies that make a lot of money off of this type of advertising. And user data in general, they've been planning the demise of that business model surveillance capitalism for years, and I'll tell you why I think so. I don't think it's just folly that has had Facebook buying Oculus rift, the VR Glasses Company or Google doing self-driving cars or Amazon getting into groceries, think about it.
Henry : Apple already does hardware so what you're saying is you're saying that they're actually behind the scenes pretty smart, much like these cigarette companies were back in the sixties and the seventies and eighties when they, when they diversified.
Mike : Well, and this is the thing so, look it's a smart move, but the problem is, is it a move that's being done because somebody put a gun to their head, it's not like they're doing it because they feel good about society, okay. What it simply is a matter of mathematics if Facebook gets fined 50 billion and the shareholders are in revolt and there's outrage because that's half of the shareholder value and all of this other. But then Zuckerberg turns around 10 minutes later and says, okay, we're going to shut down Facebook because we've just reported record revenue of 50 billion in VR headsets. Or 50 billion in self-driving cars or 50 billion in whatever else it is that they're selling.
Nest, thermostats, speakers in your house, all of this type of stuff. So, these guys and girls have been making plans for the eventual demise, because either I think all of people like us have been trying to kind of educate consumers and businesses as to the risks of centralization. And that's one way to kind of push the agenda, to get people, to think about decentralization and think about the value of their data and what it means to not just them, but to other people. And that's one way to push and but if you now have the regulators on the top squeezing from their side, saying if you've got this data and you breach it we're going to just find the living crap out of you. At some point, there's going to be an inflection where it literally will cost them a dollar 10 or a dollar and 1 cent for every dollar in revenue they get.
Henry : So you kind of answered my next question. How will this affect Facebook in the short and the long term? Long term I think that's what you answered in the short term I want to hear from both of you, how do you think this breach, this leak will affect Facebook in the short term?
Chris: I don't think it's going to affect Facebook very much; they've been dealing with these data leaks once again for 15 years. And they haven't changed one IOT, they've been charged multiple times by the FTC find they've been sued their investors have called them out. One of the investors, Roger McGee even wrote a book about Facebook in the dangerous department.
Mike : Right. And he's one of the original guys.
Chris: Yes, that's right and despite all these things, they haven't changed a single bit and the question is, well, why don't they change? And once again, it comes back to why does Facebook exist? Facebook exists to extract as much personal information from you as possible and then to monetize it. And the only way Facebook changes is if it becomes either an legal or unprofitable to abide by this business model and frankly, I'm not holding my breath that any of that is going to change in the short term.
Henry : Mike, as far as you're concerned, the current business model unsustainable you already mentioned, you think they are diversifying yep. Can Facebook change to a different business model? Can it, or do you think they had to just go and buy something like, I don't know name one, what do you think?
Mike : Well, okay, so to Chris's point, the problem with Facebook is that even though they are a public company that trades and all of this, so they should be susceptible to things like shareholder opinion and investor opinion and things like this, but due to the way that their share structure is there is no Facebook without Mark Zuckerberg. So, Zuckerberg controls something like 66% of the votes so as long as Mark Zuckerberg, he continues to get up every morning and make himself a big picture of his own Kool-Aid and continue to believe whether it's truth or delusion that Facebook is basically too big to fail, too important to the world, too important to all of us essential for all of us to even survive it's more important that food and shelter.
Seriously, if you believe Zuckerberg, then there is no way that they change without him out the door and I think, the other side, they could change Henry by trying to somehow legitimately decentralize and get rid of the user data, and it would be a Herculean task for Facebook from a technical perspective and a time perspective and all of that. But I think that by the time they would go ahead and build some kind of project like that to do it. They're already going to be fine to death or it just will never happen because Zuck that just doesn't believe it.
Henry : Yes. And if he controls 66%, he's rich enough anyway; he could have retired decades ago.
Mike : He's not in reality, come on if I waved my magic wand right now, gentlemen, and all three of us were, I don't know, multi hundred billionaires. What are the chances that we are going to continue to have two feet firmly planted in the reality of the regular person, what we are right now? You don't even know, you don't even you talk to real people; Zuckerberg probably doesn't even use Facebook himself.
Chris: Well, I don't think Zuckerberg is in it for the money anymore, I think honestly, Zuckerberg is in it to...
Mike : Control the world.
Henry : Yes, he wants to be the Pope and everything.
Chris: Facebook in his mind is a virtual state that issues its own currency, has its own standards for citizenship.
Henry : Like, they have their own Supreme Court.
Mike : Yes, that's right.
Chris: This is exactly it; this is now a virtual kingdom with Mark Zuckerberg as the sovereign is the unelected sovereign at that, that's why he's in it.
Mike : For sure.
Henry : We know what the answer to this final question is, but what is the solution? How do we change it? Mike, it's pretty obvious decentralization and anyone.
Mike : Yes. And it doesn't have to be anyone; it's great to plug it because that's what we're working on. But the truth of the matter is I'll settle for, just everybody waking up to the fact that the most important thing to each of us, when it comes to our online presence, our interaction, our community, our messaging, whatever you want to call it, surfing, searching all of that. The most important thing should always be the control and preservation of our personal piece of that data. Metadata, you could argue how valuable it is, it's valuable to some people like algorithms because they could use metadata to give you that curated experience, but they don't need your phone number, your email address, your name and your birthdate to do that.
And the only way to take that piece of data out of an equation of something like a social media environment without sacrificing the user experience of this curated content delivery that is supposedly so great for all of us. Is if you have a fully decentralized, kind of wallet, container, app interface, insert name here that you can use to exchange metadata only, not personal data and that's the way you fix it. And that's the way we're trying to architect anyone and that is the future if you believe not just us, you believe the New York Times you believe the Guardian, you believe Yahoo and Bloomberg, CNN all of these guy's.
Henry : We're getting very close I understand that our alpha is available in a couple weeks.
Mike : It should be this week, I'm sending out the first four or five invites today and we should be ready to be onboard with quantity by the end of the week, early next week.
Henry : Fantastic.
Mike : Yes, it's fantastic I'm so excited.
Henry: Mike, thank you, Chris, your insights are wonderful as usual let's just cross our fingers for Facebook maybe.
Mike : I feel so sorry for them.
Henry : Thank you very much guys.
Mike : Thanks Henry.
Chris: Goodbye.