The personal information of 533 million Facebook account holders has been leaked online on a public hacking forum. The incident that resulted in the theft of such a huge amount of Facebook data is believed to be a 2019 hack that exploited the “Add Friend” Facebook security bug, rather than a more recent hack. The flaw allowed information such as the account holder’s name, Facebook ID, mobile number, gender, occupation, city, country, marital status, and other personal data to be stolen, including some email addresses.
That information was offered for sale in a hacking community in June 2020 and has now resurfaced and is available virtually free of charge. To obtain the data, a donation of 8 site credits is required, which amounts to less than $2.20. The data is understood to have been initially sold for around $30,000 and then resold multiple times subsequently, in addition to a pay-for-search option via Telegram which was advertised on online forums commonly frequented by cybercriminals. The latest offer of the data was identified by Alon Gal, CTO of Hudson Rock.
Now that the data has been made more widely available and at a very low price, it is probable that there will be many people willing to pay the nominal fee to obtain the dataset for use in a wide range of scams, including social engineering and phishing attacks via phone, text message, and email, and for the marketing of suspect products and services.
The Irish Data Protection Commission has confirmed it is investigating the breach. The GDPR watchdog said it had received no data breach notification from Facebook within the 72 hours required by the GDPR. Facebook has since confirmed that the data stolen in the attack dates back to the 2019 breach and is not a new hack of its platform and said the flaw that was exploited was fixed in August 2019. The Irish DPC issued a statement suggesting additional user data appears to be present in this dataset, which may have come from a later period. Facebook issued a statement confirming the incident was being investigated. In an April 6, 2021 blog post Facebook confirmed that this was not a hack and that data had been scraped from public profiles prior to September 2019. “As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” said Mike Clark, Product Management Director, Facebook.
If you want to find out if you have been affected by this breach, there is an easy way to check. Troy Hunt, who runs the “Have I Been Pwned?” breach notification website has uploaded the data and it can be searched for free using an email address. If the search does not show a hit, that does not mean that you have not been affected, as relatively few of the individuals affected had their email account breached. There were only around 2.5 million email addresses in the data set.
For the majority of affected individuals, phone numbers have been compromised. Hunt confirmed today that users of the site can now enter their phone number to find out if their data has been compromised. You can access the web resource on this link.