Facebook users can now check if their information has been stolen by hackers in a huge data breach last week.
Users are encouraged to use a data breach notification service Have I Been Pwned to check if their personal info was exposed in a Facebook data leak that contains phone numbers, emails, addresses, etc. of over 500 million users.
Last Saturday, a threat actor released the personal information for 533,313,128 Facebook users on a low-level hacking forum that included mobile numbers, name, gender, location, relationship status, occupation, date of birth, and email addresses.
Unknown hackers stole this data in 2019 by exploiting a vulnerability in the ‘Add Friend’ feature on Facebook. Facebook had patched this vulnerability soon after, but the hackers consequently sold the data to private individuals which continued to circulate until it was finally released practically for $2.19 last Saturday.
Troy Hunt, the maintainer of the Have I Been Pwned data breach service, has added the leaked data to the database to help users determine if a Facebook member’s data had been exposed in the breach.
Have I Been Pwned is an open collection of data exposed in various data breaches, it’s goal is to give users a way to check if their information was exposed. Anyone can do so by inputting their email address and the website will return a list of the data breaches that exposed their data if any.
Any Facebook user is encouraged to visit Have I Been Pwned and check if Saturday’s Facebook leak included their email address. One can simply enter their address in the search field and click the “Pwned?” button.
The author of this post searched the database and found out that it did in fact leaked.
Unfortunately, one can use only email addresses on Have I Been Pwned for checking and not phone numbers. “Unfortunately” because only 2.5 million out of the 533 million Facebook member records were email addresses. The majority of user-identifiable fields in a Facebook leak on Saturday were phone numbers.
Due to this, if Have I Been Pwned does not say you’ve been “pwned,” you could still be a victim of the leak.
Troy said he was working on adding a way for users to input phone numbers to run checks on his website.
“That’s the email addresses loaded,” Hunt tweeted yesterday. “I’m still considering what to do with the phone numbers.”