Privacy is over: Everyone's chats on Facebook and Instagram have leaked onlineTags: English, technology, opinions
Created on Thu, 14 Oct 2021
A massive trove of data has leaked online in one of the most exhaustive data dumps in the last decades. Facebook's chat application Messenger and image sharing service Instagram have been breached this Monday following multiple worldwide outages and controversies brought forward by whistleblowers in the past month.
More than 2.6 billion people's conversations, including the text, photos, videos and voice messages for the past two years are organized in a collection of torrents that are circling dark web forums such as 4chan and reddit.
The Guarrdian has verified that chat history seems to end a week before the accident - namely until 28 Septmber 2021. The leak data frame spawns between September 2019 and end of September 2021. Chats between journalists, political officials, celebreties as well as spot checks of friends and colleagues of editorial staff have been confirmed as legitimate in the hours after the leak.
Hacker group, calling themselves "S3cr3ts_r_0v3r!" (read as "Secrets are over") claim responsibility for the leak as they "wanted to show what people really care about in a surveilance state".
No official statement from Facebook has been issued regarding the leak and they have not responded immediatly on our request for comment.
Web applications designed to freely search the data are already starting to emerge as part of an organized effort by the claimed leakers to "move fast and break the privacy of all people", a word-play on the company's ex-mission statement to "move fast and break things".
"If you had a conversation on Facebook's properties - be it in a group or one on one with your friends or family, colleagues, current or ex-partners in the past two years - it's now public information." the group further says.
"S3cr3ts_r_0v3r!" explain that the data was obtained during last week's unprecedented almost 6-hour long outage which affected all of Facebook's Internet properties including Whatsapp and Instagram. However no Whatsapp messages have been found in the leak. "Whatsapp is safe from these kinds of leaks due to its design called 'end-to-end-encryption' meaning that messages are not centrally stored on Facebook's servers" explain the hackers. They warn that metadata (data about who chats with whom) is still available on the servers and remind the public that metadata is enough to get arrested or even killed, as ex-NSA director Michael Hayden has previously said.
Further details on the leak are to follow but the group says that they were able to obtain the chats due to this carefully planned outage through unmonitored backup systems and complex security meassures that have been affected internally by the outage. "S3cr3ts_r_0v3r!" claim that critical details the security protocols for the chat backups have "been neglected for years which created vulnerability loopholes" that the hackers have been able to exploit. The identity of the people behind the group is still unknown although there are speculations in the forums that these are current or recently departed employees of Facebook.
Expect further details as this story unfolds.
This is of course a fake article as can be seen from the poor journalistic writing skills of the author of this blog.
But what if it wasn't?
We have seen so many breaches - usually leaking hashes of passwords or messages between celebrities or emails of public officials, including this years' massive Pegasus Project that revealed governments' espionage on journalists, opposition politicians, activists, business people - that we care not to think of our own, most precious private conversations, assuming that this thing will never happen to us.
"I have nothing to hide" is a mantra repeated ad nauseum from everyone when confronted with the reality that few large companies and state agencies are monitoring and recording our most intimate thoughts and conversations. Sure, you probably don't make bombs or plan to take over the government. Your "secrets" and private thoughts are probably as mundane and typical as any human's.
But what if all of that leaked? We know that almost everyone badmouths, has secret crushes or affairs, slacks off work, talks behind someone back, can be racist or sexist with the right friends - but these are all roles and masks we have in order to survive and thrive live in a complex society. What if these conversations can now be indexed by free to access web applications and searched by your mom, your manager or boss, by your closest and not so close friends and acquitances? If I wanted to know what my best friend really thinks of me in front of other people - just search that person and pull out all the chats. Or who my girlfriend is secretly writing with, even if I claim I trusted her. Or even more mundane - what is that shop assistant I see every day really into, who is she not just by what puts on her facebook or instagram profiles, but in front of her friends?
Imagine everyone's private lives, including yours, your friends' and family's, are up for grabs, freely available to everyone out there.
Still think it's impossible? Try to browse through this list of data breaches or this list of security hacking incidents. Thought the Facebook outage last week was unique? Just look through this list of outages. Internet is becoming more centralized and thus more prone to single points of failures. And while user's data is probably extremely guarded by multiple levels of controls, including layers of encryption of live data and backups, monitoring of exfiltration attempts, physical keys stored in multiple separate geographical centers making the scenario of the descibed leak near impossible, run that scenario nevertheless in your head every time you are prompted to say "I have nothing to hide".
What can be done?
Have a backup plan.: Last week Telegram saw a surge of more than 70 million new accounts as people scrambled to continue their conversations with their friends, family and customers. Signal and plain old-SMS has seen a surge as well. Having a backup conversation channel is a must - don't put all your eggs in one basket.
Use encrypted services: Facebook's Messenger and Instagram use company's servers to relay messages but they also store these messages on their servers. There is a way to forward messages without knowing the content of the messages themselves - this is usually known as "end-to-end encryption". Whatsapp (which is also owned by Facebook) is one such service that is using the same protocol as a more independent service Signal has developed.
Move towards decentralized (federated) services - Signal and Whatsapp still suffer from a form of centralization and opaqueness - i.e. you don't really know what the servers are running and how they may be using the metadata they gather. Telegram is not end-to-end-encrypted by default but many people think that it is. Services such as Matrix are decentralized and you can run a server yourself, allowing you to chat with anyone else running a server - thus creating a federation. You can even buy a small hardware device that you can plug into your router and with a little bit of setup create all that you need to have a safe, encrypted and controlled conversation with anyone you want. Additionally, Matrix allows you to create and run bridges which allows you to chat from the same application to people using Messenger, Whatsapp, Telegram and many other popular chat platforms.
I have a lot more to say on the topic and if I'm not lazy to write it all out, I may share it in the coming months/years.