Data leak without hacker attack: KLM leak not an isolated case

When you think of data breaches affecting the data of hundreds of millions of people, you may think of master hackers who managed to bypass advanced security measures. But some of the recent major data breaches had nothing to do with security breaches. This also applies to KLM’s leak this morning.

In such a case, what attackers do is scrape private data. Information that should only be accessed on a small scale is then automatically collected, aggregated, and then misused on a large scale.

The most well-known example of scraping is the Cambridge Analytica scandal, in which a data company managed to access the sensitive personal data of 50 million Facebook users. This company then used the data to display advanced personalized ads for political campaigns.

But more recent scraping leaks were even larger. In this way, criminals managed to access the data of 500 million LinkedIn customers and 533 million Facebook users. In the case of Facebook, malicious parties abused a feature to find new friends. “You can use this to find your Facebook profile using a person’s phone number,” says security researcher Matthijs Koot.

This feature should find your friends on Facebook using your phone’s address book, not the other way around. So the goal wasn’t to find a phone number for a specific phone. “But if you enter all the phone numbers automatically and save the result, you can, on the contrary, create a list showing which phone number belongs to someone,” says Koot. The breach ultimately affected 533 million Facebook users; An EU fine of 265 million euros was imposed on parent company Meta.


A group of data protection authorities outside the European Union, including the United Kingdom, Norway and Switzerland, issued a joint warning this summer: Social media companies and other websites must protect their users from data theft.

That this doesn’t always happen is also because social media has a low incentive to turn off data, Koot says. “The business model of social media is precisely to make information publicly available.”

In other cases, Koot says a limited security budget can be a problem. “As a result, security was not adequately controlled.”

hacker forums

It is unknown how often scratching occurs; Not all events need to come to light. This often happens when data is distributed through hacker forums, such as in leaks on Facebook and LinkedIn.

“There are professional hackers or organizations behind such leaks,” says Koot. According to him, the fact that technology giants managed to obtain the data of hundreds of millions of users without alarming their detection systems shows this.

Criminals can then sell such data to others. “These leaks are very useful for fraudsters,” Koot says. “If you combine multiple data breaches, you can definitely put together the pieces of a puzzle and learn a lot about someone.”

The more you know about someone, the more convincingly you can deceive someone: for example, by pretending to be someone’s son or daughter and demanding money, as is the case in practice. But phishing emails can also be accurately created this way.

This is especially problematic if you are a prominent Dutch person, such as a politician. Koot: “When you can find someone’s phone number in a leak with a few mouse clicks, as is the case with many politicians, I find that problematic.”

Source: NOS