Personal data belonging to hundreds of millions of Facebook users were reportedly leaked online.

A user in a low-tier cybercriminal forum posted Facebook IDs, full names, locations, birthdates, phone numbers, bios, marital status, employer, and, in some cases, the email addresses of more than 533 million Facebook users.

The accounts on record reveal personal information from users spanning 106 countries with over 32 million records on US users,  11 million for US users, and 6 million in India. The leaked data were tested and verified independently, supporting the validity of the record set.  

A Facebook insider addressed the data breach issue, claiming the records stolen were old data. In a statement, the company said that the breach could be attributed to a 2019 vulnerability, specifically, its contact importer tool. 

A Gateway to Fraud and Impersonation

Despite the data being over two years old, experts suggest they could still be a gateway for cybercrimes. Alon Gal, chief technology officer of the cybercrime intelligence firm Hudson Rock, discovered the data leaks. 

He said that even if the records date back two years, it could still be helpful to cybercriminals. These individuals prey on people’s data to commit fraud, impersonation, or blackmail users in exchange for their login credentials.

He stressed that the database of personal data is considerable enough for nefarious individuals to exploit this data for hacking and social engineering. 

Since it is accessible to anyone on the internet, those who have rudimentary data skills may use it for social engineering scams and other fraudulent activities online.  

Not the First Time

Facebook users’ phone numbers were exposed online before. The same dataset has been around since the beginning of the year.

Motherboard reported an automated bot wherein people could pay to acquire phone numbers from Facebook users. This information was also posted in the same forum. With this new development, payment is unnecessary as the dataset is published for free.

According to Facebook, the exposed vulnerability in 2019 led to millions of phone numbers being scraped from the platform’s servers, violating the terms of the agreement.

They have reportedly fixed the software vulnerability in August of 2019. However, Facebook plans to forcefully regulate mass-data scraping considering massive violations of Facebook’s terms of service during the 2016 election campaign.

A Huge Breach of Trust

Gal stated that since the database has already been out in the open, there is nothing much Facebook can do to protect their users. 

However, he also stressed that Facebook should notify the affected users so they could be aware and remain cautious about individuals who may take advantage of their personal data.

He also asserted that even though Facebook is free, the private information provided by people signing up should be treated with the utmost respect. Therefore, “personal information leaked is a huge breach of trust and should be handled accordingly.”