Information belonging to approximately 533 million Facebook users has leaked online in recent days, according to security researcher Alon Gal, raising concerns about a spike in scams targeting vulnerable Facebook users.
The data, which comes from people from over 100 countries, includes users’ phone numbers, email addresses, full names, birthdates and location, among other identifiers, according to Insider, which first reported the news. The dataset includes 32 million records for users in the U.S.
The existence of the leak was first reported by Motherboard in January. Facebook users’ personal data was available for sale online then — criminals could pay a couple of dollars to a Telegram bot in order to gain access to Facebook users’ phone numbers. Now, a suspected cybercriminal has posted the data to a hacking forum, free of charge.
Facebook said in a comment that the information leaked due to a vulnerability that had been fixed in 2019.
“In 2019, we removed people’s ability to directly find others using their phone number across both Facebook and Instagram – a function that could be exploited using sophisticated software code, to imitate Facebook and provide a phone number to find which users it belonged to,” a Facebook spokesperson told CNN Business. Facebook did not immediately return CyberScoop’s request for comment.
Ireland’s Data Protection Commission said it will probe whether the data is indeed old, according to the BBC.
The Federal Trade Commission, America’s consumer protection agency, declined to comment on whether it also would probe the matter.
The wide swath of people affected is raising concerns that scammers could use the information to commit fraud. Criminals often scour the internet for personal data about targets in fraud schemes, but this leak places several important data points all in one place.
Hackers can use phone numbers in the leak, for instance, to run social engineering scams such as SIM-swapping, in which they trick mobile carriers to transfer someone’s phone number to their own device in order to carry out fraud, such as gaining access to someone’s bank account, or resetting their email and social media accounts’ credentials. Thieves can also leverage the leak by cross-referencing data with other pieces of information contained in other stolen datasets to build a more complete profile of targets.
Troy Hunt has added the leaked email addresses into the breach database Have I Been Pwned, where users can check if their information has been leaked.