The personal data of over half a billion Facebook users was posted online over the weekend. It appears to have been collected in 2019 through a vulnerability Facebook patched that year, but security professionals believe it could still be useful to cybercriminals.
The database of 533 million records was leaked for free, meaning if you have a Facebook account it is highly likely that the phone number used for it, along with the email address and location, were leaked. Of those affected included Mark Zuckerburg via his personal phone number.
The leak was discovered by Alon Gal, the chief technology officer of the cybercrime intelligence firm Hudson Rock.
Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
A Facebook spokesperson told Insider that the news of this breach was fixed in 2019. However, the massive database could still be used to impersonate or scam victims.
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.
— Liz Bourgeois (@Liz_Shepherd) April 3, 2021
Facebook for Business is a huge tool leveraged by photography professionals around the world. According to a report from Hootsuite, Facebook leads all social networks in purchase decisions made through media platforms, with only Instagram (also a Facebook property) as the next closest platform. Needless to say, if a photographer has a business, they very likely advertise it or at least list it on Facebook. Small businesses in general — which independent local photographers are classified — saw a surge in searches last year.
Facebook representatives have been quick to downplay the leak which, while old, was not revealed until this year. The main point of contention is that while the data wasn’t stolen recently, that information is rarely changed by users and is very likely to still be accurate.
Facebook comms responds to us (and others) tweeting a news story about a data breach of 500m Facebook users rather than actually responding to the data breach of 500m Facebook users. https://t.co/WnSxYEqXvk pic.twitter.com/Nx5a9kdUfm
— The Real Facebook Oversight Board (@FBoversight) April 4, 2021
It should be noted that Facebook did not inform users that their information could have been leaked prior to it being discovered online. Gal says that from a security standpoint, there wasn’t much else Facebook could have done to prevent this particular breach, but that it could have done more to notify users.
Note that the main reason @Facebook has phone numbers for so many people in the first place is they *coerced* users into providing it under the false pretense of ‘security’ — a lie that the @FTC later dinged them for.https://t.co/81m8Pqm2Is pic.twitter.com/RZmsIu6f8v
— ashkan soltani (@ashk4n) April 5, 2021
If you’re concerned that your data was compromised, the website haveibeenpwned.com will let you know if your email was one of those half a billion that was stolen.
The good news is that while 533 million Facebook accounts were included in the breach, only about 2.5 million of those included email in the stolen data. Unfortunately, the tool doesn’t allow you to search for the other data that was leaked online.
Facebook did not respond to a question from CNN on whether the company will provide a way to see if your personal data was part of the leak.
Image credits: Photos licensed via Depositphotos.