Facebook data breach puts 500 million users at risk

What do we know about the leak?

The breached data came from a security vulnerability that Facebook patched in 2019. It includes names, phone numbers, Facebook IDs, emails, relationship statuses, locations, and other information on 533 million users from 106 countries. This data was found on a hacking forum, free to download.

Egypt (44.8 million users), Tunisia (39.5), Italy (35.7), and the US (32.3) were among the most affected countries.

A Facebook spokesperson called the data “old” and pointed out that the actual amount of leaked records might be much lower, as there are many duplicate accounts. However, this is not a good argument. People don’t change their phone numbers every year and this could put millions of users at risk.

The involvement of Telegram bots

Attentive readers might remember that a couple of months ago we wrote another article on a Facebook breach. Are these stories related?

Yes — in fact, we’re talking about the same issue. In January, the news began to spread that hackers were selling Facebook users’ info, using a Telegram bot. The bot allowed people to match Facebook IDs with phone numbers, and vice versa.

At that point, cybercriminals were still selling this service, so why is the data now freely available? Well, it may be because the Telegram operation stopped being profitable over time, but some cybersecurity researchers believe that releasing data like this is a way for hackers to gain credibility in their community.

How to check if your data was leaked

You don’t need to wonder across hacking forums to find out whether your personal information was leaked. Head to the Have I Been Pwned website, operated by cybersecurity expert Troy Hunt, and find out if you’ve been pwned.

All you need to do is input your phone number or email address, and the website will immediately show if your details were exposed in any verified data breach.

What can somebody do with your personal information?

Knowing your phone number, email address, and Facebook ID is enough to set up various cyber attacks and scams:

• Smishing. Hackers can send you text messages with malicious links, infect your device with malware, and steal your credit card information.
• Phishing. Similar to smishing, phishing involves fake emails designed to look like they came from a reputable organization, like a bank or government agency.
• Identity theft. Criminals can impersonate you and trick your friends or co-workers into “loaning” them money. They can also contact various service providers pretending to be you and try to exploit them.
• Vishing. If you have received a suspicious call from your tax agency or internet provider, asking you to reveal your sensitive information, it might be a vishing attempt. Perpetrators can also pretend to be someone you know and try to manipulate you into giving away passwords and other details.

What can you do to stay safe?

If you’ve discovered that your personal details were exposed on Facebook leak, there are a couple of things that you need to be aware of, and steps you can take to protect yourself:

1. Expect attention from criminals. From now on take every call, SMS, or email with a healthy dose of scepticism. If something smells fishy, don’t take any risks: ignore the caller and their requests. We all receive enquiries from legitimate institutions, but they never ask us to reveal our credit card details or other highly sensitive information.
2. Change your passwords. Even though passwords were not exposed in this leak, it’s not the bad idea to change them. This applies not only to your Facebook account, but also to other services where you might have used the same email address for registration. Use a password manager like NordPass to create strong passwords and store them securely.
3. Enable two-factor authentication. This won’t be the last time Facebook has found itself in the middle of a leak. With two-factor authentication, you need to authenticate yourself via an SMS, token, or app after typing your password. This improves your security and mitigates the risk of having your account stolen one day.
4. Don’t overshare on Facebook. Bios, relationship statuses, and even occupations ended up on the leaked database. While you might think this information is worthless, it can be used to launch a social engineering attack. See what Facebook knows about you and remove any sensitive information that can get you in trouble.