The data in question first leaked in January, but at the time hackers had to pay for it through a Telegram bot. That somewhat limited the spread between the cost and the method of retrieving it. But over the weekend, security researcher Alon Gal discovered the data posted on a hacker forum for free.
All 533,000,000 Facebook records have just been leaked for free.
This means that if you have a Facebook account, it is very likely that the phone number used for the account has been leaked.
I have yet to see Facebook recognize this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
– Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
The breach contains information on users in 106 countries, including 32 million US users and 11 million UK users. Troy Hunt, van haveibeenpwned, already has a copy of the data and in its analysis few records (about 0.5%) contain email addresses. But many more include phone numbers, dates of birth and other personally identifiable information. Everything you need to carry out a sim swapping attack or take over an account.
E-mail parsing is now complete, 2,529,621 unique addresses were found in the 108 files. Call it about 0.5% of all records with an email address.
– Troy Hunt (@troyhunt) April 4, 2021
Hunt, for his part, is considering adding a new field to it haveibeenpwned.com for phone numbers. Currently you can only use your data against e-mail addresses for breaches, but in this case it is not very useful. But adding a phone number field comes with risks, so Hunt is still deciding as of this release.
In a statement to Bleeping Computer, Facebook stated that hackers stole the data using a vulnerability the company patched in late 2019, which means that the stolen data is almost two years old, and if you have your email address or phone numbers since then changed, what the hackers have is obsolete. But of course other data does not change (such as dates of birth), and people usually keep phone numbers and emails for many years, so the age of the data is of little comfort.
For its part, Facebook does not seem to notify the affected users, which would be a useful move. If you want to determine if you are part of the leak, you can start with it haveibeenpwnedFor now, that’s an email-only option, but hopefully Hunt will add a phone number field in the future.
via Bleeping Computer