The personal data, including phone numbers and emails, of more than 500 million Facebook users has been leaked online. The social media company claims that the data was obtained through a vulnerability that has since been fixed.
A user in a low-level hacking forum published the personal data of over 533 million Facebook users. The leaked data includes Facebook IDs, full names, phone numbers, email address, and other personal identifiable information. It affects Facebook users from 106 countries, including data on over 33 million users in the US and 11 million users in the UK.
Business Insider verified the authenticity of the leaked data by matching several of known user’s phone numbers to the Facebook IDs listed.
A Facebook spokesperson said that the data was illegally obtained via a vulnerability that was fixed back in 2019. Whether or not the data is a few years old, it could still be used by cybercriminals for identity theft and other scams.
“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” tweeted Alon Gal, the CTO of a cybersecurity firm called Hudson Rock.
Gal was the first to discover the leaked data had been published for free on Saturday. He initially discovered the leaked data in January, after a user in the same hacking forum promoted an automated bot that could scrape the phone numbers of Facebook users, for a price. According to a report on Motherboard at the time, the bot provided legitimate data.
Now, someone has decided to post the entire data for free, making it readily available to anyone with the skills to exploit it.
This is not the first time someone has illegally scraped users’ personal data from Facebook. Perhaps the most prominent incident was in 2016, when Cambridge Analytica obtained the personal data of more than 80 million Facebook users.
According to Gal, there’s nothing Facebook can do about the breach since the data has been exposed. However, he believes Facebook has the responsibility to notify the affected users so that they can prepare for potential scams.
“Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook [is] supposed to treat the data with utmost respect,” Gal said. “Users having their personal information leaked is a huge breach of trust and should be handled accordingly.”