An individual at a non-invasive hacking forum has released the telephone numbers and personal information of hundreds of millions of Facebook users for free online.
The exposed data comprises over 533 million Facebook users from 106 countries, including over 32 million albums on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, complete titles, places, birthdates, bios, and – in certain cases – email addresses.
Insider reviewed a sample of this leaked data and confirmed several records by fitting known Facebook users’ telephone numbers with the data group’s IDs. We also verified records by analyzing email addresses in the data set in Facebook’s password reset attribute, which may be used to reveal an individual’s phone number partly.
The leaked data could provide invaluable information to cybercriminals who use people’s personal information to impersonate them scam them into handing over login credentials, according to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who first discovered that the leaked information on Saturday.
“A database of the size containing the personal info such as telephone numbers of a lot of Facebook’s users would surely result in poor actors taking advantage of the data to do social engineering attacks [or] hacking attempts,” Gal told Insider.
Gal first detected the leaked information from January when an individual in the same hacking forum advertised an automated bot that could provide phone numbers for hundreds of millions of Facebook consumers in exchange for a price. Motherboard reported on that bot’s presence at the time and verified the data was legitimate.
Now, the whole dataset has been posted on the hacking forum for free, which makes it widely available to anyone with basic information skills.
-Alon Gal (Underneath the Breach) (@UnderTheBreach) April 3, 2021
It is not the first time a huge number of Facebook consumers’ telephone numbers are exposed online. A vulnerability uncovered in 2019 allowed countless people’s phone numbers to be scraped from Facebook’s servers in violation of its terms of service. Facebook said that the vulnerability was fixed in August 2019.
Facebook previously vowed to crack down on mass data-scraping following Cambridge Analytica scraped the information of 80 million users in violation of Facebook’s terms of service to target voters with political ads from the 2016 election.
Gal reported that, from a security standpoint, there’s not much Facebook can do to help users affected by the violation since their information is already out in the open – but he added that Facebook could notify users so that they could remain vigilant for possible phishing schemes or fraud using their data.
“Individuals signing up to a respectable firm like Facebook are trusting them with their data, and Facebook [is] supposed to care for the data with the utmost respect,” Gal said. “Users using their private data leaked is a massive breach of confidence and must be handled accordingly.”