The personally identifying information of more than half a billion Facebook users leaked online Saturday, made available for free on a hacking forum Saturday. The breach, first spotted cybercrime intelligence firm Hudson Rock, includes full names, Facebook IDs, phone numbers, locations, birth dates, biographies, and email addresses. The user information of more than 533 billion accounts were included in the leak and were confirmed by Business Insider as being authentic.
The huge trove of information appears to have been the result of a security flaw that allowed user information including phone numbers to be scraped from Facebook’s vast database of personally identifiable information. The original breach that is believed to be responsible for the amassing of this leak was first reported on in September 2019. Facebook claims to have addressed identified and addressed the security flaw in August of that same year. “This is old data that was previously reported on in 2019,” a Facebook spokesperson told Bloomberg. This suggests that users who joined Facebook after August 2019 are unlikely to have their data exposed in this leak.
While the data posted on the hacking forum may not be new, it is still significant. Earlier this year, Motherboard reported that a cybercriminal forum was using the same collection of data to sell access to phone numbers linked to a person’s Facebook account. The user even set up an automated system in which prospective buyers could communicate with a bot on the messaging app Telegram, entering a person’s name and being provided their phone number.
At the time, Alon Gal, co-founder and CTO of Hudson Rock, told Motherboard that the database was “very worrying” and warned that “it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors.” Now that data no longer has the slight hurdle of a paywall to access; it’s available to anyone for free. All it takes to access is knowing where it is hosted and some pretty low-level database navigation skills. On Twitter, Gal warned that “Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.”
MORE FOR YOU
Facebook is in a difficult position with this breach, as it isn’t new so there is little the company can do to combat it. However, it’s a reminder of how much data the company has collected on its users, and how arguably negligent it has been at times with protecting that information. Facebook can’t prevent this data from being passed around and used for nefarious reasons at this point. Information like phone numbers, email addresses, and birth dates are also almost always valuable to malicious actors, no matter how old they are, because they rarely or never change. That gives this breach value despite being nearly two years old.