Localblox exposes personal data of millions of Facebook & LinkedIn users

Facebook has been at the receiving end of backlash and criticism from security fraternity for being embroiled into one data exposure scandal after another lately. The Cambridge Analytica data scandal is still fresh in our minds, where private data of nearly 87 million Facebook users got compromised.

It seems like data breaches season is far from over for Facebook since another one has occurred now in which 48 million personal profiles were exploited for the creation of a database by a local firm.

Reportedly, a Bellevue, Wash-based data firm Localblox has managed to create a database using personal profiles of Facebook users and other social networking websites namely Twitter, LinkedIn, and Zillow, etc., without the consent or knowledge of the users.

Localblox was established in 2010 and offers services to automatically locate, extract, map, index and augment data into different formats. Data is collected from various websites and exchange platforms. Security researchers claim that the company also collects information from non-public sources and compiles it with existing profiles.

The primary focus of the firm is to collect data from sources that are publicly accessible mainly social networking sites and platforms like Facebook and Twitter present the perfect option to do so.

Ashfaq Rahman, chief technology officer at Localblox, rules out the involvement of foul-play and claims that his company is involved in the development of ‘transformative intelligence’ by combining bits and pieces of information.

The firm boasts of over 650 million records collected in its device ID database whereas its mobile phone database contains 180million records including information about mobile phone carriers and phone numbers. Localblox also bragged about having extensive US voter database comprising of 180 million citizens.

Until now Localblox had been working in a fool-proof manner but this time company mistakenly left huge reserves of profile data on an unlisted, publicly accessible Amazon S3 storage bucket that too, without protecting it with a password.

The unprotected database was discovered by Chris Vickery from cybersecurity research firm UpGuard who found it as a human-readable, newline-delimited JSON file.  He immediately notified Localblox. Within hours Localblox secured access by enabling password protection.

The bucket is titled “lbdumps,” and its size is an overwhelming 1.2 terabytes while there are individual records of about 48million users. However, leaving such massive proportion of information freely accessible on the internet might have enabled anyone to download the contents of the database. But, Localblox affirmed that nobody accessed or exploited the Amazon S3 bucket.

Localblox exposes personal data of millions of Facebook & LinkedIn users
Credit: Upguard

Vickery revealed that the database includes names, date-of-birth, employment information, residential addresses and job-related history of the users while a majority of was scraped from Facebook and LinkedIn. The data also includes information about other public profiles such as on Twitter, LinkedIn history, Twitter feeds and internet usage.

According to ZDNet“This combination begins to build a three-dimensional picture of every individual affected — who they are, what they talk about, what they like, even what they do for a living — in essence a blueprint from which to create targeted persuasive content, like advertising or political campaigning.”

However, Rahman claims that the data was modified for testing purpose and Vickery hacked into the company’s network to access it. It must be noted that the scraped data can be used in a variety of ways, as noted by ZDNet.

“If the legitimate uses of the data aren’t enough to give pause, the illegitimate uses range from traditional identity theft to fraud, to ammunition for social engineering scams such as phishing.”

Currently, we don’t know whether there will be legal consequences for Localblox for collecting data without asking for users’ consent since all prominent social networking platforms abide by policies that prohibit data extraction.

But, in the US there is no law that lets people remove their private data after it ends up into the databases of firms like Localblox and Cambridge Analytica. In Europe, the digital privacy law is much stricter than in the US.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.