A massive data dump of 533 million global Facebook users has been leaked and making rounds on hacker forums. As per the posts by threat actors who leaked the data, it contains user names, birthdays, phone numbers, users’ unique identifiers, emails, relationship statuses, occupation, account creation dates and more.
The hacker also mentioned that the data was scraped from Facebook in August 2019 when the social media giant suffered a large leak of private user information, thanks to a vulnerability that was later fixed. The hacker said, “In August 2019, the social media platform Facebook suffered a large leak of private user information through an exploited vulnerability which allowed for the information of 533 million of their users to be scraped and later published.” In the comments, it was mentioned that the database was up for sale for $99 on another forum in March.
In comments, it was clearly mentioned that the data dump contained information of 61,62,450 Indian users.
Experts’ views on Data Leak
The leak was reported by several experts, including Alon Gal, CTO of Israeli cybercrime intelligence firm Hudson Rock, Troy Hunt of haveibeenpwned.com and others. Gal also reported the leak in January 2021, where he said that the leak was underreported. At that time, Gal reported that a user had created a Telegram bot that allowed users to query the database for a low fee. “This obviously has a huge impact on privacy,” he said.
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
On April 3, while quoting his January thread, Gal informed that the 533 million records were leaked for free. He further added that the bad actors would possibly use the information in the leaked data for scamming, hacking, social engineering and marketing.
Details include:
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.
Troy Hunt, founder at haveibeenpwned.com on April 4, wrote a long thread on the data leak. He said, in the first review, he found out that the database has extensive data set with one file per country. Though he could not find data of anyone from his family, he said, “I’m hearing from other trustworthy sources that the data is legit, and that seems a reasonable assumption to work on for now.”
On first review, it’s an extensive data set with one file per country and a header row as follows:
— Troy Hunt (@troyhunt) April 3, 2021
phone,uid,email,first_name,last_name,gender,date_registered,birthday,location,hometown,relationship_status,education_last_year,work,groups,pages,last_update,creation_time
Hunt added that he would extract the data, which he was expecting to be around 10 million and not hundreds of millions, as reported by the hackers. Talking about the impact of such breach and data being freely available, Hunt said, “For a targeted attack where you know someone’s name and country, it’s great for mobile phone lookup. Much harder to do en masse as there’s no reliable key; I couldn’t make a big list of emails and resolve them to phone numbers as email is rare in the data.
So, I’ll extract those addresses, do some further verification then load the data. It won’t be hundreds of millions of records, I suspect it’ll be less than 10M, but obviously that’s still a substantial number.
— Troy Hunt (@troyhunt) April 3, 2021
After parsing, Hunt found 2,529,621 email addresses in the data dump. Anyone can check if their data was leaked based on the email addresses on the website haveibeenpwned.com.
Email parsing now done, found 2,529,621 unique addresses across the 108 files. Call it about 0.5% of all records having an email address.
— Troy Hunt (@troyhunt) April 4, 2021
Later on April 6, in reply to the thread, he said that the phone numbers are also being uploaded on haveibeenpwned.com, making it easier for the users to check if their information got leaked. By the time this report was published, it was still under process. He added that when there is a vacuum of information, people speculate. “Facebook needs to make a clear statement on the data that’s in broad circulation; when it happened, where it came from and what’s in it. Without that, confusion and speculation reign,” he said.
The Facebook phone numbers are now being loaded into @haveibeenpwned and will be searchable later today. Stay tuned, I’ll push out a short blog once it’s good to go (will be queryable via the existing API too 😎).
— Troy Hunt (@troyhunt) April 6, 2021
Joe Tidy, Cyber Reporter for BBC, mentioned several Facebook breaches that affected more than one million users. According to his post on Twitter, in 2019 alone, there were four data breaches at Facebook affecting 600 million (March 2019), 540 million (April 2019), 419 million (September 2019), and 309 million (December 2019) users.
In case you’re lost, here’s all Facebook’s data breaches that affected more than 1m users.
— Joe Tidy (@joetidy) April 5, 2021
– June 2013: 6m users
– 2016: 90m (Cambridge A)
– May 2018: 14m
– Sept 2018: 50m
– March 2019: 600m
– April 2019: 540m
– Sept 2019: 419m
– Dec 2019: 309m
What were they doing in 2019?
As there were several breaches in 2019, there was confusion over which data has been made available online. In another tweet, Tidy suggested that as per Facebook’s confirmation on the data, the available data dump was from September 2019, which was initially thought to be of 400 million users.
Confirmed by Facebook. These 2 breaches in 2019 were indeed separate. So there was one in April that led to 500m users data exposed and another in September (the one we are all taking about now) which was initially 400m users. 🤯 https://t.co/vJu2NRl9YQ
— Joe Tidy (@joetidy) April 5, 2021
While talking to OpIndia, Sunny Nehra, Admin at Hacks And Security, said, “Though the data is old but downplaying the leak is not the way to go. The dump has an enormous amount of data that bad actors can use for spamming, hacking and marketing.” He further added that security in Digital space is an illusion. All applications do suffer from some or other vulnerabilities. The better they are tested, the more vulnerabilities are found. Facebook has a proper bug-hunting program where anyone who finds some valid vulnerability can report to them and get fame & financial rewards. But malicious hackers prefer to misuse it rather than reporting it.
Facebook acknowledged a vulnerability in 2019 caused by their “view as” feature, potentially exposing its 50 mln users access tokens to hackers. This or other vulnerability that can let a hacker access private info could have been used to fetch this data. Nehra added, “any data breach should not be taken lightly. When users are informed about the breach, they can take the required steps to avoid any further damage.”
Tomasz Onyszko, Founder at Predica, called it a “truly global phone book”. He said, “If it confirms and it is not a random dataset scraped from other sources, then it might be first, truly global phone book.”
If it confirms and it is not a random dataset scrapped from other sources, then it might be first, truly global phone book. @troyhunt have you got this reported / checked already?
— Tomasz Onyszko (@tonyszko) April 3, 2021
/cc: @niebezpiecznik https://t.co/Ca8q2NOdDh
Facebook trying to downplay the leak
Several Facebook executives have taken the task to downplay the leak. Liz Bourgeois, Director, Strategic Response Communications at Facebook, said on Twitter that the data is old. She said, “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.” However, the executives fail to acknowledge that even though the data is from 2019, it contains phone numbers and email IDs of the users, which do not change that often.
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019. https://t.co/mPCttLkjzE
— Liz Bourgeois (@Liz_Shepherd) April 3, 2021
Governments initiating probe over data leak
The data breach has sparked worldwide outrage. As per reports, so far, Turkey, Ireland and the Philippines have initiated a probe into data leak. On April 5, National Privacy Commission, Philippines, said that they are currently investigating the large scale data breach. NPC said that it is validating the information that over eight lakh Facebook accounts of Filipino netizens have been “compromised as part of the large-scale breach affecting 533 million global users of the social media networking site.”
Turkey’s Personal Data Protection Authority (KVKK) also launched a probe into the data leak. As per reports, KVKK on Monday decided to initiate an ex-officio investigation into the data leak where information of 533 million Facebook users was shared on a hacker forum.
Ireland’s Data Protection Commission (DPC) initiated the probe despite Facebook’s claim that the data is old. Graham Doyle, deputy commission, DPC, said that the data dump appears to be from the previous leak, and it happened before the EU’s GDPR privacy legislation was in effect. “However, following this weekend’s media reporting, we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019,” he added.
Phone numbers and emails are a ‘blessing’ for spammers, scammers and marketers
Assuming the number of emails and phone numbers included in the data breach is not in hundreds of millions as suggested by the hacker, the possible use of such data dump is still a huge threat to privacy. It has to be noted that phone numbers and emails are not just for sending spam messages. Here are some potential vulnerabilities you may be exposed to if your information is leaked.
- Hackers can send link with malicious code leading to financial losses. By clicking on the malicious link in a message or email, you may grant access to your computer or phone to the hacker without realizing it. One of the main concerns is phishing emails. Nowadays, many users who are on Facebook are not well versed with technology. They often fall for phishing attacks that may lead to identity theft and financial losses.
- Phone numbers and emails are often sold online to marketers. These telemarketers may use your email or phone numbers to send spam emails. It does not matter if you are registered with the ‘Do Not Disturb’ service or not. In this case, the spammers will not consider the role of any government regulation.
Facebook has been facing criticism for data leak and malpractices
There have been several instances when Facebook was accused and, in some cases, fined for data breaches and malpractices. In 2019, Facebook signed a deal worth $5 billion with Federal Trade Commission after finding that the company was collecting user phone numbers on the pretext it would be used only for two-factor authentication.
During the investigation, it was found that Facebook was using the collected information for targeting Facebook users with additional advertising. At that time, FTC said, “Facebook violated the FTC Act by engaging in a new set of deceptive practices relating to the collection and use of consumer phone numbers provided by consumers to enable security features such as two-factor authentication.” After the said case, Facebook was permanently barred from using numbers gathered from two-factor authentication requests for advertising purposes.
In 2020, Canada’s independent Competition Bureau fined the tech giant with CAD 9 million penalties for improperly sharing data with third-party developers. The competition watchdog had said, “the company made false or misleading claims about the privacy of Canadians’ personal information on Facebook and (messaging app) Messenger”.
In 2019, Brazil fined Facebook $1.65 million for improperly sharing users’ data in a case linked to the global Cambridge Analytica scandal. Ministry of Justice had said that Facebook did not inform the users “about the consequences of the default privacy settings, especially in relation to the data of “friends and friends of friends.”
In February 2021, the Italian competition watchdog fined Facebook 7 million Euros for not complying with a request to correct improper commercial practices in its treatment of user data. The fine was imposed after it failed to publish the amended statement as ruled by the Italian watchdog in 2018 after it found that Facebook had not informed users properly about its collection and use of data.
At that time, the watchdog had fined Facebook with 5 million Euros and asked it to publish an amended statement on the homepage of its website for Italy, on the Facebook app, and on the personal page of each registered Italian user.
What can users do about the leaked data?
As the data leak happened around two years ago and since then the data has been sold and resold, there is nothing much you can do about it. However, there are some steps that you should take as the data is now freely available for hackers to download across the world.
- Do not click on any link that you receive in email or SMS, especially from an unknown number or email ID.
- If you receive an email or a message from your bank, any financial institute, any government institute, or receive an email claiming you have won some prize, prefer not to click on the links in the email or message. It will be better if you visit your bank website and check the claim that has been made in the email.
- Inform your friends and family about the data breach. Tell them not to click any link in the messages or emails from unknown senders.
- Prefer not to click on shortened links. It is a standard practice to save yourself from any potential hack or scam.
- If you haven’t yet, please install a good antivirus on your computer and smart devices.
- You can check if your information was leaked by entering your email id or phone number on https://haveibeenpwned.com/.
