The phone numbers and personal details of more than 500 million Facebook users have been posted online by one user on a low-level hacking forum.
The exposed data includes personal information from more than 533 million Facebook users from 106 countries, including more than 32 million user records from the United States, 11 million users from the United Kingdom, and 6 million users from India. Includes their phone numbers, Facebook IDs, full names, locations, dates of birth, biographies, and in some cases, email addresses.
The leaked information could provide valuable data to cybercriminals who use the personal information to impersonate or scam them into giving up their login credentials, according to Alon Gal, chief technology officer at cybercrime intelligence firm Hudson Rock, which uncovered the threats.
“A database of that size containing private information, such as the phone numbers of many Facebook users, could lead to bad actors taking advantage of the data to carry out social engineering attacks or hacking attempts,” said Gal.
Gal first discovered the leaked data in January, when a user from the same hacking forum announced an automated bot that could provide the phone numbers of hundreds of millions of Facebook users for a price. Now the entire dataset has been posted to the hacking forum for free, making it widely available to anyone with rudimentary data knowledge.
Media outlets reviewed a sample of the leaked data and verified several records by matching the phone numbers of known Facebook users with the identifications that appear in the data set. They also verified the logs by testing the email addresses from the dataset in Facebook’s password reset feature, which can be used to partially reveal a user’s phone number.
This is not the first time that the phone numbers of a large number of Facebook users have been exposed online. A vulnerability that was discovered in 2019 allowed millions of people’s phone numbers to be removed from Facebook’s servers in violation of its terms of service. Facebook said that vulnerability was “patched” in August 2019.
Facebook previously promised to take action after Cambridge Analytica leaked the data of 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election.
Gal said that from a security point of view there is not much Facebook can do to help users affected by the breach as their data is already exposed, but added that Facebook should notify users so they can be aware of possible phishing or fraud with users personal data.
“People who register with a company like Facebook trust them with their data and Facebook is supposed to treat it with the utmost respect,” Gal said. “Leaking users’ personal information is a huge breach of trust and must be dealt with accordingly,” he said.