A cybercriminal in a low-level hacking forum on Saturday issued the phone numbers and private data of millions of Facebook users for free online.
The exhibited data includes over 533 million Facebook users from 106 countries, including over 32 million records in the US, 11 million in the UK, and 6 million in India. It includes their Facebook IDs, phone numbers, full names, birthdates, bios, locations, and email addresses.
A sample of the leaked data verified certain records by matching known Facebook users’ phone numbers with the data set’s IDs. We verified credentials by inquiring about email addresses from the data set in Facebook’s password reset feature, which they can use to reveal a user’s phone number partially.
A Facebook spokesperson told us that they scrapped the data due to a vulnerability that the company patched in 2019.
While a couple of years ago, the leaked data provided valuable information to cybercriminals who use people’s personal information to imitate them or scam them into handing over your credentials, as per Alon Gal, Chief Technical Officer of Cybercrime Intelligence firm Hudson Rock, who was the first to discover the entire channel of leaked data online on Saturday.
“A database of that size containing the private information such as phone numbers of a lot of Facebook users, including Mark Zuckerburg, would certainly lead to bad actors taking advantage of the data to perform social engineering attacks or hacking attempts,” Gal told our reporters.
Gal first spotted the leaked data in January when another user from the same hacking forum promoted an automated bot that could present phone numbers for millions of Facebook users in exchange for a price. The motherboard also reported on that bot’s existence and verified that the data was legitimate.
Now, the whole dataset has been posted on the hacking forum for free, making it publicly available to anyone with rudimentary data skills.
It is not the first time that many Facebook users’ phone numbers have been found exposed online. The vulnerability revealed in 2019 allowed millions of people’s phone numbers to be scraped from Facebook’s servers to violate its terms of service. Facebook said that they patched the vulnerability in August 2019.
Facebook previously pledged to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook’s term of service to target voters with political ads in the 2016 election.
According to Gal, from a security perspective, there’s not much Facebook can do to help users affected by the breach in 2019 since their data is already out in the open. But he added that Facebook could inform users so they could remain alert for possible phishing schemes or fraud using their data.
“Individuals signing up to a reputable company like Facebook are trusting them with their data, and Facebook is supposed to treat the data with the utmost respect,” Gal said. “Users having their personal information leaked is a huge breach of trust and should be handled accordingly.”