This dump includes phone numbers, names, Facebook IDs, email addresses, location information, gender, date of birth, work, and other data that may have contained social network profiles.

The publication Bleeping Computer notes that this information first appeared on the darknet back in the summer of 2020, when one of the forum participants began to sell data of Facebook users.

This leak was distinguished from others by the fact that it contained not only data from public profiles, but also phone numbers associated with these accounts.

According to information security experts, back in 2019, cybercriminals exploited a vulnerability related to the Add a Friend function, which allowed them to gain access to phone numbers. This bug has been fixed long time ago.

Now the same leak has been posted on the darknet for free (for eight “credits” of the site, which is roughly $ 2.19).

The publication reports that initially this dump was sold at a price of $30,000, then it was monetized using a private Telegram bot, and now it was published for free.

Interestingly, the leak contains the phone numbers of three Facebook founders: Mark Zuckerberg, Chris Hughes and Dustin Moskowitz, who were the fourth, fifth and sixth members of the Facebook social network.

Facebook representatives confirmed to the media that the leak occurred back in 2019:

Although the dump is dated 2019, experts note that phone numbers and email addresses usually do not change for many years, which means that the database is still has considerable value to attackers. So, this information can be used to send spam (by email or SMS), automatic calls, extortion attempts, threats, harassment, and so on.

The Have I Been Pwned Leak Agregator has already added a leak to its base. That is, anyone can check if this problem affected him.

For now, verification can only be done by email address, as shown in the illustration below. The point is that only 2.5 million of the 533 million records included an email address, therefore, a search by email address may be useless.

The founder of the resource, Troy Hunt, admits that he has not yet figured out how to implement a search by phone numbers and what to do with them at all.

I also reported that to the network leaked data of 33.7 million LiveJournal users. And let me also remind you about security: Users seldom change passwords even after data leaks. Don’t be like these users – change your passwords.

The post Information of 533 million Facebook users leaked to the public appeared first on Gridinsoft Blog.

Let I remind you that HIBP, founded in 2013, is a service for verifying credentials for compromise. Collecting information about various data breaches, Troy Hunt created a unique database, the services and API of which are currently used by many sites and software (including Firefox and LastPass) to promptly notify their customers of a possible compromise.

Hunt writes that over the years, he has invested a lot of effort, time, and resources into the project, but he can no longer continue to develop HIBP on his own. According to him, the community’s contribution to the development of Have I Been Pwned has always been considerable, and recently it has only increased.

“Every byte of data loaded into the system in recent years has been provided free of charge by someone who has decided to improve the security landscape for all of us, — writes Troy Hunt. – The philosophy of HIBP has always been to support the community, and now I want the community to support HIBP. Open source is the most obvious way to do this. All the essential elements of HIBP will be put into the hands of people who can help maintain the service, no matter what happens to me.”

The process of moving to an open-source model would not be easy, so Hunt says it will take some time and has not yet named any specific timeline.

“In addition, there is also an aspect of privacy: among these leaks, there is my personal data, and probably yours too, because billions of people have already suffered from data leaks. Regardless of how widely this information circulates, I still have to ensure confidentiality control for the data on leaks itself, even if the project’s code base becomes more transparent” — sums up the expert.

While professionals like Troy Hunt spend their time and resources on protecting users, they (according to a study by Carnegie Mellon University) rarely change passwords, even if their account got into the HIBP database.

The post HIBP (Have I Been Pwned?) leak aggregator opens the source code appeared first on Gridinsoft Blog.