Skip to content

India’s Cybersecurity Agency Issues Advisory On Facebook’s Massive Data Leak

Users in Facebook's and WhatsApp's biggest market have been asked to stay alert, change profile settings to private.

CHENNAI, India — In Facebook’s largest market, India, the national cybersecurity agency has asked users to change profile settings to ‘private’ from ‘public’ and limit the kind of users who can contact other user profiles.

The advisory was issued on April 19 in response to Facebook’s large-scale data breach of 450 million unique profiles globally that was revealed earlier this month. The data hack included information from profiles of 6.1 million Indian users.

The agency, the Indian Computer Emergency Response Team (CERT-In), had also issued an advisory due to “multiple vulnerabilities” in Facebook-owned instant messaging app WhatsApp on April 12.

India is Facebook’s largest market with 320 million users — almost double the size of users in the social media platform’s next biggest market, the United States. India is also Facebook-owned WhatsApp’s largest market with 530 million users, according to the government.

“The exposed information includes email address, profile ID, job occupation, phone numbers, and birthdates,” the advisory on Facebook states.

The CERT-In said: “According to Facebook, the scraped data does not include financial and health information or passwords”. It explained web scraping as the process of using automated software to harvest information users make publicly available on their profiles.

At the beginning of April, media reports said the breach impacted more than 530 million user accounts globally. On April 6, Facebook put out a blog post saying the information was obtained by scraping data and not hacking into the social networking firm’s systems.

“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” Mike Clark, product management director at Facebook, said in the post.

“This feature was designed to help people easily find their friends to connect with on our services using their contact lists.”

The CERT-In also highlighted multiple vulnerabilities in WhatsApp for Android and iOS systems that could allow a hacker to “access sensitive information on a targeted system”. The advisory was marked with a “high” severity rating. The CERT-In said vulnerabilities were found in some versions of WhatsApp and WhatsApp Business on the Android and iOS operating systems.

“These vulnerabilities exist in WhatsApp applications due to a cache configuration issue, and missing bounds check within the audio decoding pipeline,” CERT-In said. The agency asked users to update to the latest version of the app on both operating systems.

“We regularly work with security researchers to improve the numerous ways WhatsApp protects people’s messages,” a WhatsApp spokesperson said in an email to Zenger News.

“As is typical of software products, we’ve addressed two bugs that existed on outdated software, and we have no reason to believe that they were ever abused. WhatsApp remains safe and secure, and end-to-end encryption continues to work as intended to protect people’s messages.”

CERT-In had previously issued an advisory with a ‘medium’ severity rating on WhatsApp last year, saying there were vulnerabilities that could allow a remote hacker to bypass security protocols.

India has recently been hit with a spate of data breaches, including stockbroking start-up Upstox and fintech firm MobiKwik. Dominos India had 13 terabytes worth of data stolen, which included 180 million order details, with names, numbers, emails, and payment details, Alon Gal, co-founder and chief technology officer of Israel-based cybercrime intelligence firm Hudson Rock, tweeted on April 18.

The CERT-In also highlighted multiple vulnerabilities in WhatsApp for Android and iOS systems that could allow a hacker to “access sensitive information on a targeted system”. (Justin Sullivan/Getty Images)

The hack included 1 million credit card details, with the hacker asking for $550,000 for the database and planning to build a portal to enable searching for the data, Gal said in his tweets.

Independent cybersecurity researcher Rajshekhar Rajaharia told Zenger News that he emailed CERT-In in March to inform them of a potential hack of Domino’s data.

“India has seen 4-5 data hacks each month for the past six months,” he said.

“After the MobiKwik hack, around that time, the hacker said they have access to Domino’s data. I mailed CERT-In about Dominos around March 5,” Rajaharia told Zenger News.

“But Dominos says they don’t store customer financial data or cards. There isn’t sample data of Dominos on the dark web. The hacker just posted that they have it, but it’s not confirmed,” he said.

Jubilant FoodWorks, the parent company of Dominos, said there was a cybersecurity incident but denied that any financial data was leaked on the dark web.

“Jubilant FoodWorks experienced an information security incident recently,” a Jubilant spokesperson told Zenger News. “No data pertaining to financial information of any person was accessed, and the incident has not resulted in any operational or business impact.”

“Our team of experts is investigating the matter, and we have taken necessary actions to contain the incident.”

“The news about financial data being leaked is incorrect. As per leading cybersecurity researchers, there is no financial data visible on the dark web,” the spokesperson said.

According to the fast-food chain’s terms and conditions, customer card details on the Dominos app or desktop are saved by fintech provider Paytm and not by parent Jubilant FoodWorks. Paytm is the payments’ facilitator owned by One97 Communications.

A ‘like’ sign at the entrance of Facebook headquarters in Menlo Park, California. (Stephen Lam/Getty Images)

Over 1.6 million cybersecurity incidents were reported in India in 2019 and 2020, with 1.2 million incidents in 2020 alone, Union Minister of State for Home G. Kishan Reddy told the lower house of the parliament in March this year.

India’s anti-trust regulator, the Competition Commission of India, ordered an investigation into WhatsApp’s updated privacy policy in March, saying “unreasonable data collection” can grant competitive advantage to dominant players, leading to “exploitative as well as exclusionary effects”.

“The Commission is of prima facie opinion that the take-it-or-leave-it nature of privacy policy and terms of service of WhatsApp and the information sharing stipulations mentioned therein merit a detailed investigation in view of the market position and market power enjoyed by WhatsApp,” the Competition Commission said.

Both Facebook and WhatsApp challenged the Competition Commission order in the Delhi High Court, and the verdict is yet to be announced.

India does not have adequate cybersecurity laws to protect users. The Data Protection Bill, 2019, which contains provisions to deal with hacks, is not yet a law.

“Cybersecurity has been one thing where we are not a great stage, and there’s a lot to learn,” Faisal Kawoosa, founder at technology analytics firm TechARC, told Zenger News.

“And when you talk to many of these companies, leave aside maybe the major ones, many don’t think about security. They don’t think about the sensitivity of data. That culture isn’t there, and that has to come from the top.”

(Edited by Amrita Das and Gaurab Dasgupta)

Recommended from our partners