**Originally published December 20, 2019. Updated April 21, 2020.**
On December 19, 2019, Facebook came under fire once again, when over 267 million records belonging to the social site were found on an unsecured webpage. This is at least the third time in 2019 that Facebook has been in the news for leaving its users’ data unprotected. The exposed database disclosed names, Facebook IDs, and phone numbers of Facebook users, and was available to cybercriminals for two weeks or more.
On December 20, 2019, reports surfaced that Wawa’s systems had been breached by hackers using malware to capture payment information from transactions made in-store and at gas pumps. The number of customers impacted by the breach at the popular convenience store and gas station retailer has not been disclosed, but the malicious code is expected to have picked up payment details on all transactions occurring across more than 840 Wawa locations between March 4 and December 12, 2019. The hacked Personally Identifiable Information (PII) included credit and debit card numbers, expiration dates, and cardholder names.
**Updated January 28, 2020. A post by KrebsOnSecurity reports more than 30 million credit account records have been posted for sale on the Dark Web. Accounts held at thousands of financial institutions are represented in the breached data listed for sale, which have been linked to purchases made at Wawa locations according to KrebsOnSecurity. A class-action lawsuit has been filed against Wawa related to the POS malware attack.
**Updated April 21, 2020. More than 267 million Facebook profiles have been listed for sale on the Dark Web – all for $600. Reports link these profiles back to the data leak discovered in December, with additional PII attached, including email addresses. Researchers are still uncertain how this data was exposed originally, but have noted that 16.8 million of the Facebook profiles now include more data than originally exposed. This may be a result of multiple breaches and leaks of Facebook data over the years being cobbled together to round out profile information, adding more value for cyberthieves selling it on the Dark Web, and making it even more dangerous in credential stuffing attacks and phishing attempts.
Data Breaches and Leaks Places Risk on Consumers
Any time payment processing systems are breached, consumers need to take notice. It took Wawa more than nine months to detect the malware in their system. If a credit card number is stolen, it’s only a matter of hours before that number has been sold to someone who will use it fraudulently. Hackers are very sophisticated and even the best-intentioned companies may be breached for a considerable time before it is detected. Customers who have made transactions at Wawa locations this year should watch financial statements for fraudulent charges, monitor credit reports for any unrecognized new account openings, as well as be on alert for possible account takeover scams. With access to your financial information, hackers can make unwarranted purchases, lock you out of your accounts by changing the password, and potentially ruin your credit score.
The type of data included in Facebook’s leak (email, phone number, and account login information) is commonly used for credential stuffing and phishing attacks by cybercriminals once it has been exposed by fraudsters on the Dark Web. It takes just two pieces of PII for a bad actor to commit synthetic identity theft. It is important to safeguard your information by updating your passwords — making sure you do not use the same password on multiple accounts — and turning on two-factor authentication to further protect yourself from account takeover attacks.
Don’t Wait for the Next Data Breach | Get Protected Now
If you suspect your personal information was compromised in Wawa’s data breach or Facebook’s data leak, be vigilant about monitoring your personal and financial accounts.
To truly protect yourself from fraud, sign up for top-rated identity theft protection that monitors all of your accounts and alerts you, in real-time, to any suspicious activity. Not to mention, IdentityForce offers 100 percent, white-glove restoration with up to $1 million in insurance if your identity were to become compromised.