This Saturday, a user in a low-level hacking forum published the phone numbers and personal data belonging to over 533 million Facebook users for anyone to see online.
The data was first noticed and reported by Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who tweeted about his discovery on Saturday.
The exposed data includes the personal information of Facebook users from 106 countries. The majority of compromised users reside in the USA – 32 million records on users in the US, another 11 million users in the UK, and 6 million users in India.
The leaked data include phone numbers, Facebook IDs, full names, locations, birthdates, bios, and email addresses of some users.
Following the leak, Facebook claimed that attackers must have scraped the data when there was a vulnerability – before the company patched it in 2019.
If true, the leaked data is a couple of years old. Even so, cybercriminals could use this personal information to impersonate them in social engineering campaigns. They also can try to scam them into handing over login credentials and thus get access to their online accounts.
“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” Gal told Insider.
Gal first discovered the leaked data in January when he found an ad about an automated bot that could provide phone numbers for hundreds of millions of Facebook users. Motherboard reported confirmed at the time that the data was genuine. But it wasn’t until this past Saturday that the entire dataset has been posted on the hacking forum for anyone to see.
At this time, the identity of the leaker is not known.
In a previous incident in 2019, due to a vulnerability millions of people’s phone numbers had been scraped from Facebook’s servers. Facebook patched the bug in August 2019.