Phone Numbers and Associated Profile Info of 533 Million Facebook Users Leaked Online

The leak of data tied to 533 million Facebook users is a reminder that even “old” exposed information can fuel fresh scams for years after the original incident. With phone numbers, names, locations, and other profile details now widely available, cybercriminals have more than enough context to build convincing phishing attacks, impersonation schemes, and fraud attempts.

Key Takeaways

• Personal data associated with more than 533 million Facebook users was exposed online after being scraped through a platform vulnerability that Facebook said it fixed in August 2019.
• The leaked information included phone numbers, Facebook IDs, full names, location data, dates of birth, bios, relationship status, and some email addresses across 106 countries.
• Even older leaked data can remain dangerous because cybercriminals can reuse it in new social engineering, phishing, identity theft, and fraud campaigns.
• Users whose phone numbers were tied to Facebook accounts should be extra cautious with unsolicited calls, texts, or messages requesting personal information.

Fact: The personal information associated with over 533 million Facebook users was made public on a hacking forum this Saturday. User data appears to have been scraped in 2019 by malicious actors exploiting a vulnerability in the platform.

Check if your personal info has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool. 

What type of data was leaked?

The leaked data includes phone numbers, Facebook IDs, full names, location, past location, date of birth, account creation data, relationship status, bio and some email addresses. Overall, the database includes information on users from 106 countries, including 32 million from the US, 35 million from Italy, 19.8 million from France, 11 million from the UK, and nearly 10 million users from Russia.

“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” Liz Bourgeois, Facebook’s Director of Strategic Response Communications, said in a tweet.

No data is old data

A common misconception among the digital community is that older exposed or stolen data has an expiration date and does not cause any future security risks.

However, users shouldn’t bet on it. The Ashley Madison data breach is a good example. Information of millions of users was stolen and posted online by threat actors in 2015. In 2020, customers who had already endured the fallout from the breach were targeted once again, in new blackmail campaigns.

Data breaches and leaks can have long-term consequences for victims. Once personal data is out there, it can be used to impersonate or scam users over and over. Threat actors know that users recycle and reuse personal information on online platforms. Even if you’ve already been a victim or target, it doesn’t spare you from becoming one again.

“The data leak may not be the first incident in the social media giant’s security incident history, but it’s definitely one that users should care about,” said Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender.

“Since this data is now publicly available and free, it’s reasonable to assume the worst-case scenario,” Botezatu added. “This additional breach of user privacy, even if it does not include highly sensitive details, opens new and rewarding possibilities for scammers. If users can’t rely on companies to keep their data safe, it might be time to reassess online behaviors by limiting the information shared with social media platforms.”

What should users expect?

Malicious actors can exploit this information to deploy targeted social engineering attacks. If you have not changed the phone number linked to your Facebook account since 2019, watch out for unsolicited phone calls or text messages asking for personally identifiable information.

You need to understand that social media platforms do not provide bulletproof security. Whatever you share and provide on your profile can be used to single you out from millions of other users. By pairing the leaked data with publicly exposed information, cybercriminals can deploy phishing schemes that can lead to account takeover, identity theft and fraud.