The personal information of 533 million Facebook users has been leaked to a hacker forum for free, giving scammers a trove of fresh data to target people.
Around 7.3 million users are from Australia.
Alon Gal, co-founder of Israeli cybersecurity company Hudson Rock, noticed the data dump over the weekend.
“Details include: phone number Facebook ID, full name, location, past location, birth date, (sometimes email address, account creation date, relationship status, bio,” he said on Twitter.
“Bad actors will certainly use the information for social engineering, scamming, hacking, and marketing.”
Facebook did not seem concerned by the leak, with Liz Bourgeois, the company’s director of strategic response communications, saying it was “old data”.
“We found and fixed this issue in August 2019,” she said.
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019. https://t.co/mPCttLkjzE
— Liz Bourgeois (@Liz_Shepherd) April 3, 2021
The vulnerability that led to the leak of 533 million Facebook users required a “complex” exploit, according to a Forbes exclusive from 2019, and involved “using an army of bots and processors to build a searchable/attackable database of users”.
In January, a Telegram bot appeared on the Raid Forums allowing people to query a database of data scraped from that Facebook vulnerability for a small fee.
All that data has now been made public and is being shared on social media.
All 533,000,000 Facebook records were just leaked for free.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
Have you been pwned?
Troy Hunt, creator of the haveibeenpwned website, was quick to comb through the data and load email addresses into his service for people to check if they were affected.
He noticed the leak contained few email addresses and was instead filled with neatly indexed phone numbers.
“For spam, based on using phone numbers alone, it’s gold,” Hunt said.
“Not just SMS, there are heaps of services that just require a phone number these days and now there’s hundreds of millions of them conveniently categorised by nice mail merge fields like name and gender.”
It’s not the first time Facebook has suffered from a major data breach.
Also in 2019, millions of Facebook records were improperly stored by third-parties on Amazon servers in a breach that alarmingly contained users’ passwords in plain-text left for anybody to download.
Facebook was storing user passwords in plain text on its internal systems, too.
The company also had issues in 2018 with people using a Facebook feature to access the tokens which are used to control a person’s account.
Mass scraping of Facebook data was behind the Cambridge Analytica scandal which saw a data mining company use a third-party app to pull data from hundreds of millions of Facebook users through its API.
Last year, the Office of the Australian Information Commissioner opened court proceedings against Facebook for the breach.
You can report scams to ScamWatch. If you are concerned about identity theft contact ID Care online or by phone at 1800 595 160.