Facebook has once again caught media attention for a not-so-good reason. This time, again, Facebook users’ data privacy suffered a breach. It turns out that some hackers exploited a Facebook vulnerability to scrap data, particularly, users’ phone numbers. Consequently, data of 533 million Facebook users is now available publicly on the dark web.
533 Million Facebook Users Data Leaked
Reportedly, a new data dump has surfaced online that includes 533 million records of Facebook users. The data includes the personal information of the users as well as their phone numbers.
The dumped record even includes the details of Facebook founders. These include Mark Zuckerberg, Chris Hughes, and Dustin Moskovitz, who’re among the first 10 users registered on Facebook.
Every record from the data includes a user’s name, Facebook ID, location, gender, date of birth, relationship status, occupation, mobile number, and email address.
Considering how most of these details are often publicly visible, it seems the data dump emerged from a scraping activity.
However, Alon Gal, co-founder and CTO of cybercrime intelligence Hudson Rock, also highlighted possible exploitation of a bug. Gal, first disclosed this data dump in January 2021.
While Facebook patched the vulnerability later, Gal suspects that the potential hacker might have exploited this flaw to scrape phone numbers.
Specifically, the data includes details of 533,313,128 Facebook users belonging to 106 countries. The top five countries appearing in this data dump are Egypt, Tunisia, Italy, the USA, and Saudi Arabia.
Gal has shared the full list of countries in his tweet below.
Full list of affected users by country pic.twitter.com/Wrrzd0WyxE
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
Initially, the seller put up the data for sale for $30,000. However, the same seller has now released the data as free.
Facebook’s Response
After the news gained media traction, Facebook provided the following statement whilst confirming the incident that happened two years ago.
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.
According to The Record, the attacker exploited the vulnerability in the Facebook contacts importer feature to match the numbers in the supplied list with the existing profiles. This allowed the attacker to build up the data.
Facebook eventually detected that activity and contained the attack whilst fixing the bug. The tech giant confirmed that the dumped record includes old data collected in 2019.
Though, the details included in the dumped data are not likely to change ever (such as date of birth). Users also don’t change phone numbers frequently on accounts.
For now, all Facebook users should remain cautious about phishing emails and SMS asking for any details from them.