“The data exposed includes personal information of more than 533 million Facebook users from 106 countries, including more than 32 million records on users in the US, 11 million on users in the UK and 6 million on users in India,” said Insider“It includes their phone numbers, Facebook IDs, full names, locations, dates of birth, biographies and – in some cases – email addresses.”
If that number of 533 million sounds familiar to you, it’s because this information apparently comes from the same data set that people could pay for parts of using a Telegram bot, which Motherboard reported in JanuaryHowever, it now appears that those who want to obtain the data do not have to pay anything at all.
Phone number, Facebook ID, full name, location, past location, date of birth, (sometimes) email address, account creation date, relationship status, bio.
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.
– Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Facebook told Insider that this data was scraped due to a vulnerability it fixed in 2019. The company provided a similar answer Motherboard in January. “This is old data that was previously reported in 2019”, Facebook told BleepingComputer“We found and resolved this issue in August 2019.” Facebook has not responded to a request for comment from The edge
Troy Hunt, creator of the Have I Been Pwned database said on Saturday that “I have not seen anything to suggest that this breach is not legitimate.” In the data, he only found about 2.5 million unique email addresses (which is still a lot!), But apparently “the biggest impact here is the phone numbers.” This is what that could mean in Hunt’s words
But for spam based on just using a phone number, it’s gold. Not just SMS, there are tons of services these days that just need a phone number and now there are hundreds of millions, conveniently categorized by country with nice merge fields like name and gender.
– Troy Hunt (@troyhunt) April 3, 2021
If you can, I highly recommend taking a few minutes to read Hunt’s full Twitter thread on the breach
Hunt has already loaded the leaked email addresses into Am I Pwned, which means you can check if yours is included as part of the dataset. He is still considering whether or not to make the leaked telephone numbers available via the service.
Should the FB phone numbers be searchable in @haveibeenpwnedI’m thinking about the pros and cons in terms of the value it adds to affected people versus the risk presented when used to resolve numbers into identities (you still need the source data to do that ).
– Troy Hunt (@troyhunt) April 4, 2021