Last week, a user dumped personal details of over 533 million Facebook users on a hacking forum. These details included Facebook IDs, phone numbers, names, locations, birthdates and even email addresses.
The information was later reviewed by Business Insider who confirmed that it was geniune. In a statement to Business Insider, Facebook confirmed that the data was scraped due to a vulnerability that was fixed in 2019, making the data at least a couple of years old. Alon Gal, CTO of cybercrime intelligence firm Hudson Rock was the first one to notice the data dump on the hacker forum. Gal first saw someone selling a database of Facebook users through an automated bot back in January. However, last Saturday, the same user dumped the whole dataset on the forum for free, making it available to anyone with a bit of technical know-how.
Legally, companies are required to notify users when their data has been leaked. However, we have seen companies make vague statements and empty promises about data security in the past. As such, more often than not, users don’t know if their data has been leaked or they don’t know how to check if their data was a part of a recent breach.
Fortunately, security researchers work tirelessly to make sure users know when their privacy has been breached or if they have been a vitcim of a data breach. One such researcher is Troy Hunt who runs the popular HaveIBeenPwned service. Hunt recently took to Twitter to confirm the data breach and he also noted that Facebook’s latest breach has been updated on HaveIBeenPwned. As such, you can visit HaveIBeenPwned and enter your email ID associated with your Facebook account to check if your data was leaked during the breach.
Earlier today, Hunt also published a blog post noting that over 500 million phone numbers were leaked in the latest breach. He also talked a bit about why phone numbers were initially not added to HaveIBeenPwned and what made him change his mind. He noted that only a few million email addresses were leaked in the latest breach so the service was not giving acccurate results to people. As such he has also added an option to search records using phone numbers. To do that, you need to visit HaveIBeenPwned and enter the phone number linked to your Facebook account to check if they were leaked during the data breach.
There’s over 500M phone numbers but only a few million email addresses so >99% of people were getting a “miss” when they should have gotten a “hit”. The phone numbers were easy to parse out from (mostly) well-formatted files. They were also all normalised into a nice consistent format with a country code. In short, this data set completely turned all my reasons for not doing this on its head.
This was not Facebook’s first data breach and sadly it won’t be the last. The sensible thing to do is to secure your Facebook account and make sure you are using Two Factor Authentication on all your accounts. Unfortunately, if your data was part of the Facebook data breach then there is nothing you can do now, as the data is out in the open. What you can do, however, is to make sure that you change your Facebook password and don’t use that password again.