If you have a Facebook account, you should probably be keeping your guard up in the near future. A new report states that a hacker has posted the private information, including phone numbers, birthdays, and locations, of more than 533 million Facebook users from 106 countries online for free.
According to Insider, the hacker was part of a low level hacking forum and posted the information on Saturday. The information exposed reportedly also includes Facebook IDs, full names, bios, and, in some cases, email addresses. The data accessed is purportedly from 2019. Insider stated that the leaked data included information on 32 million users in the U.S., 11 million users in the UK, and 6 million users in India.
The outlet reviewed a sample of the leaked data and verified a series of records “by matching known Facebook users’ phone numbers with the IDs listed in the data set.” Insider also confirmed the data’s accuracy by typing in exposed email addresses into Facebook’s password reset feature, which shows part of a user’s phone number.
Gizmodo reached out to Facebook to confirm the report, but we had not heard back by the time of publication. The company told Insider that the data was scraped due to a vulnerability it patched in 2019.
The fact that the data seems to have been obtained via scraping is bound to rattle some nerves at Facebook, which has faced outrage over scraping incidents in the past. The most infamous scraping incident has been the Cambridge Analytica scandal, in which the analytics firm harvested user data of millions of users without their consent and used it to predict and influence users at the polls.
Liz Bourgeois, director of strategic response communications at Facebook, repeated this on Twitter on Saturday.
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” she said.
While Facebook appeared to be trying to use the 2019 time peg to minimize the impact of the leak, Insider explains that bad actors can still do damage with old data. Alon Gal, co-founder and CTO of Israeli cybercrime intelligence firm Hudson Rock, told the outlet that a database of that size would result in criminals taking advantage of the data to carry out social engineering attacks or hacks.
Gal was the one who first discovered the leaked Facebook data on Saturday, per Insider. This wasn’t the first time he knew of the database’s existence, though. Back in January, Gal sounded the alarm on a hacker that had created a Telegram bot that allowed people to find phone numbers for specific Facebook accounts via the leaked data set for a fee. Gal informed Motherboard at the time, which confirmed the data’s legitimacy.
The cybersecurity expert said there’s not much Facebook can do to help users at this point since the data is already out there besides letting them know it happened and telling them to be on the lookout for scams.
However, there are still some questions unanswered. Even if this data is from 2019, what does this really mean for users? Insider was able to purportedly match phone numbers with IDs in the leaked data set now. In fact, I know friends that have had the same phone number for over a decade. What can users do in this situation? Do they need to do anything?