Information of 533 million Facebook users leaked to the public

Last weekend it became known that information of more than 500 million Facebook users leaked to the public. On the hacker forum, the data about 533 313 128 Facebook users were published.

This dump includes phone numbers, names, Facebook IDs, email addresses, location information, gender, date of birth, work, and other data that may have contained social network profiles.

The publication Bleeping Computer notes that this information first appeared on the darknet back in the summer of 2020, when one of the forum participants began to sell data of Facebook users.

This leak was distinguished from others by the fact that it contained not only data from public profiles, but also phone numbers associated with these accounts.

According to information security experts, back in 2019, cybercriminals exploited a vulnerability related to the Add a Friend function, which allowed them to gain access to phone numbers. This bug has been fixed long time ago.

Now the same leak has been posted on the darknet for free (for eight “credits” of the site, which is roughly $ 2.19).

The publication reports that initially this dump was sold at a price of $30,000, then it was monetized using a private Telegram bot, and now it was published for free.

Interestingly, the leak contains the phone numbers of three Facebook founders: Mark Zuckerberg, Chris Hughes and Dustin Moskowitz, who were the fourth, fifth and sixth members of the Facebook social network.

Facebook representatives confirmed to the media that the leak occurred back in 2019:

This is old data that was previously reported in 2019. We discovered and fixed this issue in August 2019.

Although the dump is dated 2019, experts note that phone numbers and email addresses usually do not change for many years, which means that the database is still has considerable value to attackers. So, this information can be used to send spam (by email or SMS), automatic calls, extortion attempts, threats, harassment, and so on.

The Have I Been Pwned Leak Agregator has already added a leak to its base. That is, anyone can check if this problem affected him.

For now, verification can only be done by email address, as shown in the illustration below. The point is that only 2.5 million of the 533 million records included an email address, therefore, a search by email address may be useless.

The founder of the resource, Troy Hunt, admits that he has not yet figured out how to implement a search by phone numbers and what to do with them at all.

I also reported that to the network leaked data of 33.7 million LiveJournal users. And let me also remind you about security: Users seldom change passwords even after data leaks. Don’t be like these users – change your passwords.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *