“The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India,” according to Insider. “It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.”
If that 533 million number might sound familiar to you, that’s because this information is apparently from the same dataset that people could pay for portions of using a Telegram bot, which Motherboard reported on in January. Now, though, it appears that those who want to get their hands on the data won’t have to pay anything at all.
Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Facebook told Insider that this data was scraped because of a vulnerability that it fixed in 2019. The company gave a similar answer to Motherboard in January. “This is old data that was previously reported on in 2019,” Facebook told BleepingComputer. “We found and fixed this issue in August 2019.” Facebook has not replied to a request for comment from The Verge.
Troy Hunt, the creator of the Have I Been Pwned database, said on Saturday that “I haven’t seen anything yet to suggest this breach isn’t legit.” In the data, he found only about 2.5 million unique email addresses (which is still a lot!), but apparently, “the greatest impact here is the phone numbers.” Here’s what that might mean, in Hunt’s words:
But for spam based on using phone number alone, it’s gold. Not just SMS, there are heaps of services that just require a phone number these days and now there’s hundreds of millions of them conveniently categorised by country with nice mail merge fields like name and gender.
— Troy Hunt (@troyhunt) April 3, 2021
If you can, I strongly recommend taking a couple minutes to read Hunt’s full Twitter thread about the breach.
Hunt has already loaded the leaked email addresses into Have I Been Pwned, meaning you can check to see if yours was included as part of the dataset. He is still considering whether or not to make the leaked phone numbers available through the service.
Should the FB phone numbers be searchable in @haveibeenpwned? I’m thinking through the pros and cons in terms of the value it adds to impacted people versus the risk presented if it’s used to help resolve numbers to identities (you’d still need the source data to do that).
— Troy Hunt (@troyhunt) April 4, 2021