Data scraped from Facebook between June 2017 and April 2018 was leaked to a low-level hacking forum on 3rd April 2021.
The leaked data included information from 533 million Facebook users, including:
- Account creation data
- Date of birth
- Email address
- Facebook ID
- Facebook bio
- Full name
- Location
- Marriage details
- Phone number
- Past location
- Relationship data
The hacked users may not have had all of these data points stolen, and it’s currently difficult to ascertain precisely what information and from whom the data was scraped.
The leak includes information from users across 106 countries with 32 million records belonging to Facebook users in the U.S., 11 million records from the U.K. and more across Europe:
Sourced from PoliticoThe leak was discovered by Alon Gal, Hudson Rock’s Chief Technology Officer:
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Alon told Business Insider:
“Individuals signing up to a reputable company like Facebook are trusting them with their data, and Facebook [is] supposed to treat the data with utmost respect,”
He also stated that the data leak is a breach of trust and should be dealt with accordingly.
Facebook Calls The Personal Information Leak ‘Old News’
Liz Bourgeois, Facebook’s Director of Strategic Response Communications, tweeted on the day the leak was discovered, calling it ‘old news.’
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019. https://t.co/mPCttLkjzE
— Liz Bourgeois (@Liz_Shepherd) April 3, 2021
However, personal details such as email addresses, full names, phone numbers, and locations do not change regularly, so this latest leak is still valuable to cybercriminals who could use this information fraudulently.
Although not all of the information will be relevant today, it’s fair to presume that a lot will be, leaving users susceptible to phishing attacks and smishing; whereby hackers or cybercriminals try to make their victims click on a link or answer a text message.
Ulrich Kelber, a German Federal Data Regulator tweeted a picture of one attempt:
Danke, @facebook. Bin übrigens schon seit 2018 kein Nutzer mehr. Was hatten meine Daten noch 2019 bei Euch zu suchen? pic.twitter.com/aUY4iyC8XG
— Ulrich Kelber (@UlrichKelber) April 5, 2021
His comment alongside the image translates to:
Ivan Righi, a cyberthreat intelligence analyst at Digital Shadows, has stated that the personal information would originally have been available at a high price, limiting the number of hackers opting to purchase the information.
He specified that the information was likely resold multiple times until the asking price became so low that it was published publicly, which is typical hacker behavior.
He also stated that:
“While the data may be old, it still holds a lot of value to cybercriminals.”
It’s possible that this information can be used to access accounts that require two-factor authentication, such as bank accounts.
At the very least, Facebook victims can expect an increase in nuisance calls.
Related: 7 Urgent Steps to Take When Your Facebook Account Gets Hacked
Is This A GDPR Breach?
The Information Commissioner Office states that the relevant regulator must be notified of any significant data breaches or leaks within 72 hours.
Whether Facebook is in breach of the EU’s General Data Protection Regulation (GDPR) legislation is currently up for discussion.
The original leak happened before GDPR was implemented; however, because the social platform states that they closed the breach in 2019, a year after GDPR was activated, there are questions about whether they should have followed the notification process.
Ireland’s Data Protection Commission stated yesterday that investigations were underway to ascertain whether any rules were violated.
Can You Find Out If Your Information Was Scraped?
You can discover if your email address or phone number was leaked using a tool called Have I Been Pwned? Troy Hunt, creator of the tool and Regional Director and MVP of Microsoft has stated that the tool can be used to discover whether you are a victim of the leak:
I’ve had a heap of queries about this. I’m looking into it and yes, if it’s legit and suitable for @haveibeenpwned it’ll be searchable there shortly. https://t.co/QPLZdXATpt
— Troy Hunt (@troyhunt) April 3, 2021
Facebook Speaks Out
Facebook’s Product Management Director, Mike Clark, published an article yesterday discussing the breach.
The article discloses that the information was scraped using a Facebook contact importer feature designed to help users find and connect with their friends.
When the social platform became aware of how hackers used this feature, they implemented updates.
The article advises users to update the ‘How people find and contact you’ control, carry out privacy checkups regularly and enable two-factor authentication.
Unfortunately, hacks are not a new thing, and as the internet develops, so shall technology that takes advantage of any data available.
Twitter users were victims of hacks on 15th July 2020, and WordPress also has its troubles. Unfortunately, protection against these events is often reactive as hackers find new vulnerabilities to exploit.
