Personal data of over half a billion Facebook users leaked online publicly

04

Social media platforms and user data leaks are no strangers to each other. Hackers often exploit a vulnerability to scrape data, and sometimes, sheer abuse happens by seemingly legit clients. Remember the Facebook-Cambridge Analytica scandal? Well, Facebook is again at the center of another huge data leak that has seen the personal information of over half a billion users making its way online. As per a report by BusinessInsider, the data of over 533 million users – which includes details such as phone number, email address, job info, and date of birth to name a few – was put up for sale online. And later, it was shared freely on the web.

“The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and – in some cases – email addresses.”

BusinessInsider claims to have verified the leak by matching certain Facebook user phone numbers with the identification number in the leaked data set, and also verified the email addresses using the password reset feature. Liz Bourgeois, who is Director of Strategic Response Communications at Facebook, tweeted the leaked data originated from a vulnerability that was fixed back in 2019.

Old data? Yes. But how often do you change the number and email linked to your Facebook profile?

Though the leaked data might be two years old, even if 1% of affected users still have that phone number and email address linked to their Facebook profile, the number of users whose personal data was leaked stands at over 5 million. And I am being a little too optimistic here, since a majority of social media users aren’t too cautious when it comes to the security of their personal data and don’t even use critically important tools such as two-factor authentication.

Coming back to the Facebook leak, the data – despite being two years old – can still be exploited for a variety of attacks, ranging from hacking and phishing to spamming. And the worst part is that the entire dataset was posted online on hacking forums for free, which means if you knew your way around data, you have a treasure trove of information about half a billion Facebook users.

Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, discovered the leaked data of Facebook users being sold, and later shared publicly. “Users having their personal information leaked is a huge breach of trust,” Gal was quoted as saying. Troy Hunt, creator of the HaveIBeenPwned database, says the leak is legit and he has already uploaded the leaked email addresses to the HaveIBeenPwned database where you can verify if your personal data was also leaked. Chances are high that it was! 

And even if the percentage of users whose phone number was leaked stands at 20%, the number is still substantial. Plus, the phone numbers in the leaked dataset also come with the country codes neatly arranged, which means it can be abused by malicious parties on a regional basis to a variable extent. Aside from usual spamming, there are a ton of shady services out there that can abuse these millions of leaked phone numbers in different parts of the world.

The leaked data is everywhere

Of course, there are a lot of cybersecurity experts and regular users out there who are asking questions about the massive leak. Will Facebook take accountability? Is the social media giant going to notify users that were affected by the users? What steps users should take if their email and phone number were leaked? The risks of targeted attacks are high, especially given the massive scale and global reach.

Hunt notes that the leaked Facebook user data is not only available on hacking forums, but is also circulating together on social media platforms. “This data is everywhere,” he adds. While Facebook should be made to answer about the massive leak, the least that the company can do for its humongous user base is notify affected users, and it definitely has the resources to do so. A simple notification will be enough, for starters!


Nadeem Sarwar

I’ve been writing about consumer technology for over three years now, having worked with names such as NDTV and Beebom in the past. Aside from covering the latest news, I’ve reviewed my fair share of devices ranging from smartphones and laptops to smart home devices. I also have interviewed tech execs and appeared as a host in YouTube videos talking about the latest and greatest gadgets out there.

Leave A Reply

Your email address will not be published.