In what’s likely to be a goldmine for bad actors, personal information associated with approximately 533 million Facebook users worldwide has been leaked on a popular cybercrime forum for free—which was harvested by hackers in 2019 using a Facebook vulnerability.
The leaked data includes full names, Facebook IDs, mobile numbers, locations, email addresses, gender, occupation, city, country, marital status broken, account creation date, and other profile details broken down by country, with over 32 million records belonging to users in the U.S., 11 million users the U.K., and six million users in India, among others.
Also included in the leak are phone numbers from Facebook CEO Mark Zuckerberg, and co-founders Chris Hughes, and Dustin Moskovitz, who are the fourth, fifth, and sixth members to have registered on Facebook.
Interestingly, it appears that the same phone number is also registered to his name on the privacy-focussed messaging app Signal. “Mark Zuckerberg also respects his own privacy, by using a chat app that has end-to-end encryption and isn’t owned by @facebook,” tweeted Synack Red Team researcher Dave Walker.
In total, the data being offered includes user information from 106 countries. Additionally, the data seems to have been obtained by exploiting a vulnerability that enabled automated scripts to scrape Facebook users’ public profiles and associated private phone numbers en masse. The flaw has since been fixed by Facebook.
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” said Liz Bourgeois, Facebook’s director of strategic response communications, in a Saturday tweet.
Old data or not, the fact that the data appears to have been obtained by scraping Facebook profiles further complicates the company’s equation with privacy, even as it has emerged relatively unscathed in the wake of the Cambridge Analytica data scandal, in which the British consulting firm amassed of the personal data of millions of Facebook users without their consent for purposes of political advertising.
While this data dump appears to have sold in cybercrime communities at least since last year, a Telegram bot that appeared on the scene earlier this January allowed users to look up a phone number and receive the corresponding user’s Facebook ID, or vice versa for a fee.
But with the data now available publicly for free, it’s likely that the leak will allow malicious adversaries to exploit information for social engineering, marketing scams, and other cybercrimes. Users who have shared their phone numbers and email addresses with Facebook and have not changed them since 2019 are advised to watch out for possible smishing attacks, spam calls, and fraud.