Over 500M Facebook account records leaked on hacking forum
A major cache of personal data for more than 500 million Facebook users has been published on hacking forums, in one of the biggest lapses of data protection for the social network so far.
A Facebook data center in Sweden from 2016
The database, published to a hacking forum, contains the personal data of hundreds of millions of Facebook users around the world. The data, which was discovered on Saturday, has the potential to be used for a variety of crimes, including other hacks and social engineering.
Advised to Business Insider by cybercrime research firm Hudson Rock CTO Alon Gal, the data included full names of users, as well as Facebook IDs, locations, dates of birth, biographies, phone numbers, and email addresses. A selection of records from the cache was verified against Facebook's password reset feature, and were found to be genuine.
Over 533 million users are listed in the data, covering 106 countries. Over 32 million of the records are for US-based users, with 11 million based in the UK and 6 million from India.
"A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data," said Gal.
In what could be frustrating to affected Facebook users, Gal first spotted a user of the hacking forum advertising an automated bot in January, claiming to be able to scrape the phone numbers of millions of users. It appears that the data set collected by that bot was published to the forum for free, making it available for anyone to acquire at no cost.
At this stage, Gal believes there's little Facebook can do now the data is in circulation, other than to notify users to be vigilant for phishing schemes or fraud using their personal data.
"Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook is supposed to treat the data with utmost respect," said Gal. "Users having their personal information leaked is a huge breach of trust and should be handled accordingly."
Facebook has yet to comment on the new data cache publicly.
This is far from the first major lapse in data protection for Facebook, but it is among one of the worst by the social network.
In 2018, it was revealed that analytics firm Cambridge Analytica used a quiz app to collect data on users and connected friends, partly without consent. The data was then used to build voter profiles for some 71 million Americans, and was believed to have been used in the 2016 Presidential race.
Among other fines and sanctions, Facebook settled to end a Federal Trade Commission investigation in 2019 over the matter, paying a $5 billion penalty and agreeing to new restrictions on how it handles private data. At the time, Facebook claimed it had made "large strides on privacy," and insisted it would be "more robust" in identifying, assessing, and mitigating privacy risk.
In April 2019, security researchers found multiple instances where Facebook user data was exposed publicly on Amazon cloud servers by third-party companies. In one case, a firm was openly storing 540 million Facebook records, before being shuttered by Facebook.
A Facebook data center in Sweden from 2016
The database, published to a hacking forum, contains the personal data of hundreds of millions of Facebook users around the world. The data, which was discovered on Saturday, has the potential to be used for a variety of crimes, including other hacks and social engineering.
Advised to Business Insider by cybercrime research firm Hudson Rock CTO Alon Gal, the data included full names of users, as well as Facebook IDs, locations, dates of birth, biographies, phone numbers, and email addresses. A selection of records from the cache was verified against Facebook's password reset feature, and were found to be genuine.
Over 533 million users are listed in the data, covering 106 countries. Over 32 million of the records are for US-based users, with 11 million based in the UK and 6 million from India.
"A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data," said Gal.
In what could be frustrating to affected Facebook users, Gal first spotted a user of the hacking forum advertising an automated bot in January, claiming to be able to scrape the phone numbers of millions of users. It appears that the data set collected by that bot was published to the forum for free, making it available for anyone to acquire at no cost.
At this stage, Gal believes there's little Facebook can do now the data is in circulation, other than to notify users to be vigilant for phishing schemes or fraud using their personal data.
"Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook is supposed to treat the data with utmost respect," said Gal. "Users having their personal information leaked is a huge breach of trust and should be handled accordingly."
Facebook has yet to comment on the new data cache publicly.
This is far from the first major lapse in data protection for Facebook, but it is among one of the worst by the social network.
In 2018, it was revealed that analytics firm Cambridge Analytica used a quiz app to collect data on users and connected friends, partly without consent. The data was then used to build voter profiles for some 71 million Americans, and was believed to have been used in the 2016 Presidential race.
Among other fines and sanctions, Facebook settled to end a Federal Trade Commission investigation in 2019 over the matter, paying a $5 billion penalty and agreeing to new restrictions on how it handles private data. At the time, Facebook claimed it had made "large strides on privacy," and insisted it would be "more robust" in identifying, assessing, and mitigating privacy risk.
In April 2019, security researchers found multiple instances where Facebook user data was exposed publicly on Amazon cloud servers by third-party companies. In one case, a firm was openly storing 540 million Facebook records, before being shuttered by Facebook.
Comments
If this bot did indeed "scrape" the information, then it wasn't a compromise of any of Facebook's systems or databases. This bot would have "built" its own database from the scraped data.
Computers (ie. bots) can work a LOT faster than humans, so this would be the equivalent of several humans trying to manually read profiles (some are public info!) and copy the information into a centralized database. The bot just did it a lot faster and without supervision.
if this is the case, Facebook can't be held directly responsible other than allowing the bot to do its work for an extended period of time.
Let me check her Facebook page to see if she knows. Looks like I’d need to create an account... never mind.
I think we all know the answer already.
If there is just someway we could’ve known!...
Facebook patched bug in 2019, but not before the data breach.
815 766 690 users not 533 mill.