According to security researchers Alon Gal, personal data from 533 million Facebook accounts have leaked online for free. Inside man said he checked several of the leaked records.
“The data on display includes the personal information of more than 533 million Facebook users from 106 countries, including more than 32 million records for users in the United States, 11 million for users in the United Kingdom and 6 million for users in India,” according to Inside man. “It includes their phone numbers, Facebook IDs, full names, locations, dates of birth, biographical data and ̵
If this 533 million number may sound familiar to you, it’s because this information is obviously from the same set of data that people could pay for parts of using a Telegram bot that Motherboard reported in January. Now, however, it seems that those who want to get the data will not have to pay anything at all.
Phone number, Facebook ID, full name, location, past location, date of birth, (sometimes) email address, date of account creation, connection status, resume.
Bad actors will certainly use the information for social engineering, fraud, hacking and marketing.
– Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Facebook said Inside man that these data were deleted due to a vulnerability that was removed in 2019. The company gave a similar response to Motherboard in January. “These are old data that were previously reported in 2019,” Facebook said BleepingComputer. “We discovered and fixed this problem in August 2019.” Facebook did not respond to a request for comment from On the edge.
Troy Hunt, creator of the Have I Been Pwned database, said Saturday that “I haven’t seen anything yet to suggest that this violation is illegal.” He found only about 2.5 million unique email addresses in the data. (which is still a lot!), but apparently “phone numbers have the biggest impact here.” Here is what this could mean, in Hunt’s words:
But for spam based only on the use of a phone number, this is gold. Not just SMS, there are a bunch of services that just require a phone number these days and now there are hundreds of millions of them, conveniently categorized by countries with nice mail merge fields like name and gender.
– Troy Hunt (@troyhunt) April 3, 2021
If you can, I highly recommend that you take a few minutes to read Hunt’s full Twitter thread about the violation.
Hunt has already loaded expired email addresses in Have I Been Pwned, which means you can check if yours is included as part of the dataset. He is still considering whether to provide expired phone numbers through the service.
Should FB phone numbers be searched on @haveibeenpwned? I consider the pros and cons of the value it adds to the people affected in relation to the risk presented, if it is used to overcome the numbers to identities (this will still require the data in the source).
– Troy Hunt (@troyhunt) April 4, 2021