Alon Gal, Chief Technology Officer of cybersecurity firm Hudson Rock, revealed on Saturday that he had found a leaked dataset of Facebook users’ data that a hacker on a low-level hacking forum had posted.
The dataset contains private information such as Facebook IDs, email IDs, linked phone numbers, date of birth, location, etc., of more than 500 million users around the world out of which it is estimated that 32 million users are from the US, 11 million in the UK, and 6 million in India.
The data was initially offered for a price on the hacking forum in January this year but was later leaked in its entirety for free.
News platform Business Insider verified that the data was legitimate by accessing a sample of the leaked data and matching it with known users’ Facebook IDs. They also confirmed that email IDs matched phone numbers by using the password reset feature which partially reveals the numbers for users who have that authentication step activated.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
This incident is far from the first time that Facebook’s lax security systems have led to the data of millions of users being compromised. In 2016, British political advertising firm Cambridge Analytica breached Facebook’s policy and scraped the data of nearly 100 million users to generate targeted political ads for the elections that year. Following this scandal, Facebook had promised to revise its security policies and ensure a higher degree of protection of users’ data.
In August 2019, the phone numbers of over 400 million users had been leaked online. At the time, Facebook claimed to have patched the bug that made this breach possible but provided no further information as to what changes were made. They also denied the extent of the security breach, saying that only about 200 million accounts’ data had been leaked.
Alon Gal said that the freely available data was now highly susceptible to social engineering attacks and malicious hacking attempts considering how much private information has been leaked. He further noted that there was nothing much Facebook could do right now to protect the already leaked data except ensure that their users are alerted to the possibility of being exposed to any phishing scams and other cybercrimes and to take necessary precautions.