What just happened? The personal information of 533 million Facebook users has been published on a low level hacking forum. The sensitive data comes from people in 106 countries, including 32 million US residents.
Security researcher Alon Gal highlighted the leak, the result of a Facebook vulnerability patched in 2019. The data went up for sale via a dark web cybercrime forum back in January, when interested buyers could look up the information in the database using a Telegram bot. Now, the entire trove has been made freely available.
Details include:--- Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.
"The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India," writes Insider. "It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and --- in some cases --- email addresses."
Insider verified some data by matching Facebook users' phone numbers with the IDs listed in the data set. It also verified records by testing email addresses in FB's password reset feature, which can partially reveal a user's phone number. While the data only goes up to 2019, many people keep the same phone number for years.
But for spam based on using phone number alone, it's gold. Not just SMS, there are heaps of services that just require a phone number these days and now there's hundreds of millions of them conveniently categorised by country with nice mail merge fields like name and gender.--- Troy Hunt (@troyhunt) April 3, 2021
Have I Been Pwned creator Troy Hunt said he found around 2.5 million unique email addresses in the data set. He says the most appealing element to scammers and hackers is the phone numbers, which can be used for everything from SMS spam to signing up for services. Make sure to check out Hunt's page to discover if your information was part of the leak.