The Facebook data of more than 500 million users reportedly leaked on a hacking forum Saturday, including phone numbers, full names, and email addresses in some cases. The data appears to be a couple of years old, but it is enough information for cybercriminals to use in scams to get login credentials from victims, Alon Gal, of the cyberintelligence firm Hudson Rock, told Insider. Gal’s firm first discovered the leaked data on Saturday. Troy Hunt, the creator of the Have I Been Pwned database said he added the leaked email addresses to his website. Facebook users can use haveibeenpwned.com to see if their email address has been leaked.
The data includes the personal information from over 533 million Facebook users, including 32 million U.S. users, 11 million U.K. users, and 6 million users in India, report Insider. Phone numbers, Facebook IDs, full names, locations, bios, and birthdates are included. Some users’ email addresses also leaked. A Facebook spokesperson told Insider the data was obtained through a “vulnerability” that was fixed in 2019. “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” Facebook said in a similar statement to Bleeping Computer.
Videos by PopCulture.com
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
โ Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Gal first found the leaked data in January when a hacking forum user claimed they could offer the data from millions of Facebook users for a price. Motherboard confirmed the data was genuine at the time. Even if the data is from 2019, Gal pointed out that it could still be used for nefarious purposes. It is especially disturbing now that the data was offered for free on the same hacking forum. “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” he explained to Insider.
Hunt tweeted a lengthy thread as he went through the data on Saturday. He discovered that about 2.5 million unique email addresses were discovered in the leaked data. Later, he tweeted that he received anecdotal reports from people who claimed to see an increase in spam calls and spam text messages, but Hunt pointed out that it is very difficult to peg these to this specific breach.
New breach: Facebook had 2.5M addresses exposed in an incident that impacted 533M subscribers’ phone numbers. Most records contained name and gender, many also included DoB, location, relationship status and employer. 65% were already in @haveibeenpwned https://t.co/ltMkbZi9sK
โ Have I Been Pwned (@haveibeenpwned) April 4, 2021
At this point, Facebook cannot do much to help users beyond sending out a reminder to be wary of phishing and fraud scams, Gal told Insider. “Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook [is] supposed to treat the data with utmost respect,” Gal explained. “Users having their personal information leaked is a huge breach of trust and should be handled accordingly.”