Updated Reams of personal data – including phone numbers, email addresses, and birthdays – obtained from 533 million Facebook accounts was offered to all for free on a cyber-crime forum over the weekend.
The data dump was flagged up by Alon Gal, co-founder and CTO of infosec startup Hudson Rock. The information – which also includes people’s names, marital status, occupation, and location – was siphoned from Facebook in 2019 via a security weakness in the platform. The data was packaged up and sold online to miscreants in June 2020.
Now that same database is up for grabs to anyone who messages a particular Telegram account and asks nicely. The records were pilfered from hundreds of millions of Facebook profiles spread across 104 countries; that includes 32,315,282 accounts in the US, and 11,522,328 in the UK, according to a post on the underground forum viewed by The Register. All of the data amounts to over 70GB. It's reported the price tag on the database has been falling, and now it's free of charge.
All 533,000,000 Facebook records were just leaked for free.— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
Facebook is keen to shrug this off. We're told the data theft was in the news in 2019, and the exploited security hole was closed that same year.
That doesn't quite change the fact that people's stolen info has been circulating online for nearly three years, and that even though it all happened in 2019, names, dates of birth, contact details, and other data are unlikely to have changed in that time.
Instead, it's likely the data is still largely useful for fraudsters to exploit – assuming the vast majority of users put in the correct information on their profiles and not fake info just in case this sort of theft happened.
“This is old data that was previously reported on in 2019," a spokesperson for Mark Zuckerberg's tech giant told us. "We found and fixed this issue in August 2019."
Meanwhile, Gal told The Register: “Firstly, I'd like Facebook to acknowledge the leak and the importance of it.
"Secondly, they should alert all users that this has happened and have the users be alert to impending social engineering and hacking attacks. Lastly, I think Facebook should rotate Facebook IDs to block bad actors from being able to link phone numbers to Facebook profiles through the leak as can be currently done, this is only a small step but a crucial one.”
Updated to add on April 6
Facebook now says "malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019." It went on:
We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.
When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles.