533 Million Facebook Account Records Posted to ForumFacebook Says Data Comes From Previously Reported 2019 Incident
A security researcher has found more than 500 million Facebook records made available for free on the darknet, exposing basic user information, including any phone numbers associated with the accounts.
Alon Gal, chief technology officer at Hudson Rock, found the 533 million records in a darknet forum. They represent users in 106 countries and contain phone numbers, Facebook IDs, full names, locations, past locations, birthdates, birthdates and, in some cases, email addresses, account creation dates, relationship status and the biographical information submitted by the account owners.
"Bad actors will certainly use the information for social engineering, scamming, hacking and marketing," he tweeted.
Facebook, in a statement quoted by The Associated Press, claims this is old news.
“This is old data that was previously reported on in 2019,” Facebook reportedly said. “We found and fixed this issue in August 2019.”
Gal first spotted the database earlier this year when he noticed that a malicious actor had created and was advertising a Telegram bot that allowed anyone to search the database and find phone numbers linked to accounts, but it was not open at that time.
Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts.— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
The database is now available for free, Gal says.
Business Insider reports that the data is several years old and that a Facebook spokesperson says that the data was scraped due to a vulnerability that the company patched in 2019.
Information Security Media Group could not immediately reach a Facebook representative for comment.
Facebook's Data Breach History
In 2018, 30 million Facebook accounts were breached, with 14 million accounts having an extensive amount of information exposed. This information included the account holders' 15 most recent searches, the last 10 places they checked into and the device types used to access Facebook. For another 15 million account holders, the hackers accessed only name and contact details - phone number, email address or both. The attackers did not gain access to any information for another 1 million users whose accounts were affected (see: Facebook Clarifies Extent of Data Breach).
In December 2020, Compliance Week reported that Facebook had set aside $366 million to cover expected EU General Data Protection Regulation fines that could result from an investigation being conducted by Ireland's privacy agency (see: Ireland's Privacy Watchdog Probes Facebook Data Breaches).