533 million users compromised is old news, Facebook says

By Robert Scammell

A database containing the phone numbers and personal data of approximately 533 million Facebook users has resurfaced after it was made freely available on a hacking forum.

Most entries contained a phone number while varying number of entries included Facebook ID, name, date of birth, gender, location, relationship status, occupation and email addresses.

According to researchers, the data relates to people in 106 countries. Among the phone numbers exposed in the leak are those of Facebook chief Mark Zuckerberg and fellow co-founders Chris Hughes and Dustin Moskovitz.

Facebook said it was from a previously reported data breach in 2019. However, the publishing of the database for free has raised concerns of a heightened risk of scams and cyberattacks against those whose data was stolen.

A Facebook spokesperson told security news site BleepingComputer that it is “old data that was previously reported on in 2019”.

They added: “We found and fixed this issue in August 2019.”

Verdict has contacted Facebook to clarify which breach the data stems from, as there were multiple data leaks that year.

Four data breaches affecting more than 1.7 billion people were reported that year, although it is likely that there were overlapping records.

According to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, the phone number data was harvested during Facebook’s ‘Add Friend’ feature. It has since been patched.

Despite Facebook’s claims that the data is old, data regulators have said they are looking into the matter.

An ICO spokesperson told Verdict that it is “aware of these reports and will be looking into them on behalf of UK citizens, including liaising with international colleagues where relevant”.

Ireland’s Data Protection Commission, a key regulator due to Facebook’s European headquarters being located in Dublin, also said it was looking into the data leak.

Facebook users can check whether their data is in the leak by visiting Have I Been Pwned.

“Unique passwords are vital and corporate mistakes such as this prove how easily personal data can be stolen and used against their victims,” said Jake Moore, cybersecurity specialist at internet security firm ESET.

“Identity theft can be very simple with small amounts of stolen personal data, so victims must be vigilant of follow-up phishing emails. Furthermore, two-factor authentication is an important extra layer of protection for all accounts and helps keep threat actors from gaining entry to vulnerable or exposed accounts.”