2,5M+ users can check whether their data were exposed in Facebook data leak

You can check if your personal information is included in the Facebook data leak by querying the data breach notification service Have I Been Pwned.

The news of the availability on a hacking forum of the personal information for 533,313,128 Facebook users made the headlines. The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock.

The data of Facebook users from 106 countries are available for free, over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data includes users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.

The data was amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network.

The leaked data could be exploited by threat actors to carry out a broad range of malicious activities.

The novelty is not represented by the availability of the data online, which was already reported by Alon Gal in January, but its availability for free.

Data included in the recent leak have been added by Troy Hunt to Have I Been Pwned data breach notification site allowing users to check if weather data was exposed.

“In April 2021, a large data set of 533 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook’s subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address.” reads the statement published on the HIBP website. “Most records contained names and genders with many also including dates of birth, location, relationship status and employer.”

Unfortunately, Hunt was able to add only 2,529,621 records () exposed in the recent leak because most of them did not include an email address.

Should the Facebook phone numbers be searchable in @haveibeenpwned? Hunt is evaluating the pros and cons for impacted people versus the risk of exposure of their identities.

“Factors influencing my consideration of this: only about 1% of the records have email addresses, the phone numbers are easily parsed (they’re in a CSV) and they’re formatted complete with country code. It’s a very clean data set and is 100x more useful than email in this case.” wrote Hunt on Twitter. “Another general observation on this incident: I’m seeing *extensive* sharing of the data, both the entire corpus of countries and individual country files. Not just in hacking circles, but very broadly on social media too. This data is everywhere already.”

Hunt discovered 370M rows in the data set he received some weeks ago, data that is different from 533M reported by media. Then he received a separate set of files that summed to the previous one aligns with more recent reporting.

In some cases Hunt noticed some differences as he confirmed on Twitter:

For additional news …. stay Tuned!

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]