''As the Facebook, platform evolves and grows, parts of your account could be public. Data could also be collected and shared in ways you don't know about,'' the Indian Computer Emergency Response Team or CERT-In said in a public advisory issued on Monday.
It is the federal technology arm to combat cyberattacks and guard Indian cyberspace against phishing and hacking assaults and similar online attacks.
''It has been reported that globally there has been a large-scale leakage of Facebook profile information. The exposed information includes email addresses, profile ID, full name, job occupation, phone numbers and birth date. ''According to Facebook, the scraped information does not include financial information, health information or passwords, however information from more than 450 million unique Facebook profiles globally, including approximately 61 lakh Indian individuals, has been made publicly available in multiple cybercriminal forums for free,'' the advisory said while explaining the breach.
A cybersecurity expert had spoken about this online leak earlier this month, which was acknowledged by the company, stating that ''this is old data that was previously reported on in 2019. We found and fixed this issue in August 2019''. The CERT-In said that Facebook has claimed that this 'data scraping' happened by using the ''contact importer'' feature of the platform, which allows users to find other users by using their phone numbers.
''Facebook stated that this feature was changed in September 2019, following the discovery that threat actors were abusing the feature. ''However, while Facebook modified the feature in 2019 to thwart this kind of abuse, the phone numbers of 450 million global users had already been harvested by malicious actors, along with other identifying information on users,'' it said.
Dejargonising the term 'data scraping', the advisory said it refers to the process of using automated software or scripts to harvest public information from sites, such as any information users make publicly available in their profiles like names, city, occupation, among others.
''Cybercriminals may scrape data from sites for a variety of purposes, including spamming, information gathering, and social engineering attacks. ''They can also sell scrapped data for a profit to other cybercriminals, marketing companies or call centers,'' it said.
The advisory, while asking users of this popular social media platform to follow good cyber hygiene practices, also said that Facebook has advised individuals to ''make sure that their privacy settings reflect what information they want to share publicly and who they want to be able to look them by phone number''.
Facebook, it added, has also recommended account holders to enable two-factor authentication also known as 2FA.
It also recommended that users can consider changing their profile settings to ''private'' or ''friends'' only as data scrapers can use ''public'' information of an individual to ''match and combine with data from other breaches to access even more of their personal information and accounts''.
It also asked users to adjust their settings to who can find and contact them on Facebook and consider whether to set them all to ''friends'' or stricter for stronger security.
In a similar incident reported in March 2018, Facebook data of over 5.62 lakh Indians was allegedly compromised as UK-based Cambridge Analytica had accessed information of about 87 million users globally. The Central Bureau of Investigation (CBI) is now probing this data breach on charges of profiteering and manipulating elections by illegal harvesting of Indian user data.
India is among the biggest markets for Facebook and its group companies, WhatsApp and Instagram and according to government data, the country has 41 crores Facebook users, 53 crore WhatsApp users and 21 crore users of Instagram.