A user in a low-level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free.
The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
The data set has been posted on the hacking forum for free, making it available to anyone with rudimentary data skills.
Insider attempted to reach the leaker through the messaging app Telegram but did not get a response.
This is not the first time that lots of Facebook users’ phone numbers have been found exposed online. The vulnerability uncovered in 2019 allowed millions of phone numbers to be scraped from Facebook’s servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.
Facebook vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of over 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election.
“If you have a Facebook account, the phone number used for the account was likely leaked,” Gal stated.
He believed the data could be a couple of years old and could have been extracted using the bug that Facebook said it fixed back in 2019 – before being first made available online back in January.
Facebook corroborated this, telling Business Insider that the data had been scraped due to the vulnerabilitiy that it patched back in 2019.
That being the case, hackers or imposters could still misuse the information for SMS phishing scams, impersonate users or lure them to share the credentials.
“Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook [is] supposed to treat the data with utmost respect. Users having their personal information leaked is a huge breach of trust and should be handled accordingly,” Gal added.
What to do if your data was breached
In any data breach, it’s important to ensure identity documents, such as driver’s licence and passport details, haven’t been compromised. If they have, replace them immediately.
If your email address was exposed, change your password for that account, and set up two-factor authentication where possible.
To protect yourself in future, use a password manager – such as 1password, LastPass or Keeper. These are paid services which can generate long and difficult passwords for your accounts, and store them for you so you don’t have to remember them.
But Dr Quodling warns that there is only so much users can do to prevent their data being used, apart from just quitting the social media platforms altogether.
“You could be profoundly security conscious and secure, and still get caught out by insufficient security practices at other organisations you rely on,” he said.