A hacker has posted the phone numbers and sensitive account details of nearly 533 million (53.3 crore) Facebook users — about a fifth of the social networking platform’s entire user base — including over 61 lakh Indian users which has been dumped on a public cybercrime forum.
The leaked data includes Facebook ID numbers, profile names, email addresses, location information, gender details, job data, and other details.
“All 533,000,000 Facebook records were just leaked for free. This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” tweeted Alon Gal, CTO of security firm Hudson Rock.
“I have yet to see Facebook acknowledging this absolute negligence of your data,” he added.
Facebook has confirmed the leak to The Record.
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” a Facebook spokesperson was quoted as saying in the report late on Saturday.
With the data now entering the public domain, there is a real danger that this information can be widely used by cybercriminals for email or SMS spam, robocalls, extortion attempts, threats and harassment, etc.
The data is reportedly broken up into download packages by country.
As Cambridge Analytics still haunts nearly 87 million users, including over 5 lakh users from India, this has come as the biggest ever leak of a social media platform that has billions of users.
In January this year, reports first surfaced that the phone numbers of 533 million users were currently being sold via a bot on encrypted messaging platform Telegram, which came from a Facebook vulnerability that was patched by the social network in 2019.
According to a report in Motherboard, the person selling the database full of Facebook users’ phone numbers ($20 per number) lets customers lookup those numbers by using an automated Telegram bot.
Gal had then said: “It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing (the fraudulent practice of sending text messages) and other fraudulent activities by bad actors.”
However, this time, the Facebook data leak has been published with more details.
In December last year, reports surfaced that a bug exposed the personal information like email addresses and birthdays of Facebook-owned Instagram users.
Saugat Pokharel, an experienced bug hunter from Nepal, discovered the bug. The attack used Facebook’s Business Suite tool, available to any Facebook business account, reported The Verge.
According to a Facebook spokesperson, the bug was only accessible for a short period of time during a small test.