If you’re on Facebook (and who isn’t?), you might want to consider locking down all your accounts. A security researcher discovered the personal data of 533 million Facebook users leaked online in a hacker forum. The data includes phone numbers, names, birthdates, emails, and more.
Update: The Have I Been Pwned site updated to accept phone numbers, and is now the best place to see if your personal information is part of the Facebook leak.
The data in question first leaked back in January, but at the time, hackers had to pay for it through a Telegram bot. That limited the spread somewhat between the cost and the method to retrieve it. But over the weekend, security researcher Alon Gal discovered the data posted on a hacker forum for free.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
The breach contains information on users across 106 countries, including 32 million U.S. users and 11 million U.K. users. Troy Hunt, of haveibeenpwned, already has a copy of the data, and in his analysis, few records (about 0.5%) contain email addresses. But far more contain phone numbers, birthdates, and other personally identifying information. Everything you might need to pull off a sim swapping attack or take over an account.
Email parsing now done, found 2,529,621 unique addresses across the 108 files. Call it about 0.5% of all records having an email address.
— Troy Hunt (@troyhunt) April 4, 2021
For his part, Hunt is considering adding a new field to haveibeenpwned.com for phone numbers. Currently, you can only check your data against email addresses for breaches, but in this case, that’s not very useful. But adding a phone number field comes with risks, so Hunt is still deciding as of this publication.
In a statement to Bleeping Computer, Facebook stated that hackers stole the data using a vulnerability the company patched in late 2019. That means the data stolen is nearly two years old, and if you’ve changed your email address or phone numbers since then, what the hackers have is out of date. But other data doesn’t change of course, (like birthdates), and people usually keep phone numbers and emails for many years, so the age of the data is of little comfort.
For its part, Facebook doesn’t seem to be notifying affected users, which would be a helpful move. If you want to determine if you’re part of the leak, you can start with haveibeenpwned. For now, that’s an email-only option, but hopefully, Hunt does add a phone number field in the future. Update: The site now accepts phone numbers to check if your details are part of the leak.