On Saturday, 3rd April, an archive containing the personal data of more than 533 million Facebook users in 106 countries was posted to an online hacking forum.
Initially offered for sale for around €2.12, just hours later, the whole data set was reposted for free.
A Facebook spokesperson stated that this is “old data”, gathered initially using a vulnerability that was fixed in August 2019. While it’s good to know the issue was resolved, the data is now online forever.
This leak was originally reported on Twitter by cyber threat intelligence researcher Alon Gal, who has been tracking it since January of this year. Saturday is the first time the archive was found in a public forum.
In every case, the leak includes names, phone numbers, and Facebook IDs. In some cases, records also included:
· Email Address
· Date of Birth
· Current Location
· Relationship Status
Having an email address and date of birth publicly tied to your mobile number is concerning since this makes you an easier target for identity theft and fraud. Details of around 11.5 million people in the UK are included in this leak, approximately 20% of all UK Facebook users. Don’t panic though – less than 85 thousand UK records in this leak included an email address.
So what should you do?
As always, be aware of scam calls, texts, or emails. Often called ‘phishing’ attacks, criminals use these to trick you into giving away sensitive details such as passwords, install malicious software on your devices, or to steal money. The National Cyber Security Centre (NCSC) publishes guidance on how to spot suspicious communications and what to do if you’re worried you have fallen victim to a phishing attack.
You can also use the online tool Have I Been Pwned to check if your email address was included in this breach or any other past breaches. Refer to the NCSC’s guidance on data breaches if you have any concerns.
Finally, be careful what you put online! Social media is a fantastic tool for keeping up with friends and family, especially during the pandemic. However, it can be exploited by criminals, as this leak shows. The easiest way to protect yourself is to use strict privacy settings, and to think twice about what you post or show on your profile.
UPDATE: As of 06/04/2021 haveibeenpwned allows searching this breach by phone number as well as email address.
Sources and further reading