A massive data set that includes the personal information of 533 million global Facebook users has been leaked and is widely circulating online. The data, which includes user phone numbers, email addresses, physical addresses, account creation dates, relationship status, and more, was being freely traded in hacker forums over the weekend.
The scraped data was gleaned from Facebook users in more than 106 countries. The leak is believed to have originated courtesy of a 2020 vulnerability, first reported by Motherboard, that allowed users to exploit Facebook’s systems using an automated Telegram bot. Reddit posters and others have been quick to point out that if the number of people affected by this breach were a country, it would be the third most populous in the world, behind China and India.
Facebook has been quick to downplay the leak; on Twitter, various Facebook executives have said that the data is from 2019 and is therefore “old.” What they don’t grapple with is the fact that phone numbers and email addresses don’t change that often.
The results of the vulnerability are now being traded in low-level hacking forums for just a few Euros. And while the data is slightly stale, it still opens the door to all manner of new social engineering and hacking efforts, security researchers say.
"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Gal told Motherboard at the time.
According to Troy Hunt of haveibeenpwned.com, the data set includes 108 files, broken down by country, with file names in Italian. Roughly 2,529,621 unique email addresses were added to his website’s database of compromised accounts over the weekend.
While Facebook says the company fixed the vulnerability in 2019, the company didn’t inform its subscribers that the data was circulating in the wild. Security researchers also note that Facebook engaged in misleading behavior to gain access to subscriber phone numbers in the first place.
In 2019, Facebook struck a $5 billion dollar settlement with the FTC after the company collected user phone numbers under the pretense it would be used exclusively for two factor authentication. In reality, Facebook was collecting phone numbers so they could be used to target Facebook subscribers with additional advertising.
“Facebook violated the FTC Act by engaging in a new set of deceptive practices relating to the collection and use of consumer phone numbers provided by consumers to enable security features such as two-factor authentication,” the FTC said at the time.
While Facebook was permanently barred from using numbers gathered from two-factor authentication requests for advertising purposes, the company has also faced repeated scrutiny for other, similar practices, including promoting a “security-focused” VPN that was revealed to be little more than spyware that tracked Facebook users around the internet.
Facebook promised to crack down on large-scale data-scraping after the Cambridge Analytica scandal, which leaked the data of 80 million Facebook users. That data was then exploited for targeted political ads in the 2016 election. The company did not respond to Motherboard for a request to comment, but on Twitter spent much of the weekend downplaying its latest leak.
A lack of a coherent U.S. privacy law for the internet era means meaningful penalties for broader and repeated security and privacy missteps remain elusive. But privacy researcher Gaurav Laroia told Motherboard that states can and should penalize the social media giant.
“It's clear that Facebook hasn't taken its data security obligations seriously,” Laroia said. “That it took them 2 years to acknowledge this breach is also a serious problem. All 50 states and DC have breach notification laws and this whole incident needs to be investigated by state AGs, and the company properly reprimanded if it didn't meet its legal obligations.”