Maybe these spam calls we get on our cell phones are the consequence.
Hackers were reportedly sharing a massive amount of personal Facebook data in January, and now that data appears to have escaped into the wild. According to Business Insider, security researcher Alon Gal has discovered that a user on a hacking forum has made the entire dataset public, exposing details for about 533 million Facebook members. The data includes phone numbers, birth dates, email addresses and locations, among other revealing info.
About 32 million of the users are in the US, while 11 million are from the UK and another 6 million come from India.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
Gal first spotted the data in January, when Telegram users could pay to search the database. The intruders reportedly took advantage of a flaw that Facebook fixed in August 2019 and reportedly includes information from before that fix. You might not be in trouble if you’re a relative newcomer or have changed key details in the time since the fix, but the breach still leaves many people vulnerable.
We’ve asked Facebook for comment.
As Gal noted, Facebook can only do so much when the data is already in circulation and the related flaw is no longer an issue. The social network could notify affected users, though, and there’s pressure on the company to alert affected users so they can watch for possible spam calls and fraud.
***
The Facts on News Reports About Facebook Data
On April 3, Business Insider published a story saying that information from more than 530 million Facebook users had been made publicly available in an unsecured database. We have teams dedicated to addressing these kinds of issues and understand the impact they can have on the people who use our services. It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.
Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this. The methods used to obtain this data set were previously reported in 2019. This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services. As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists. But since there’s still confusion about this data and what we’ve done, we wanted to provide more details here.
What Happened
We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.
When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords.
Keeping Your Account Safe
Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors.
We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible. While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.
While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly. In this case, updating the “How People Find and Contact You” control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.
