500 Million Facebook Accounts Leaked Online500 Million Facebook Accounts Leaked Online
More than 500 million Facebook users have had their personal information posted to a public hacker forum, raising concerns about an uptick in cybercrime that leverages credentials. The publicly released Facebook user data is believed to be part of a 2019 Add Friend Facebook security bug exploited by hackers at the time. The flaw allowed hackers to siphon hundreds of millions of member account details from Facebook and sell them to the highest bidder on online markets. An estimated 32 million, of the half-billion of Facebook account details posted online, were tied to US-based accounts. The data is now accessible to anyone for under $3. The types of data include Facebook user mobile phone numbers, their Facebook ID, name and gender information.
Alon Gal, CTO at Hudson Rock, is credited for spotting the 533 million account records. Originally, the dataset was searchable for a price, according to an ads seen on secure messaging app Telegram. Now, that same data is available on public online forums used by criminals for anyone to abuse. Hackers could use the information for social engineering, scamming, hacking and marketing.
Facebook acknowledged the public availability of the stolen data and released a statement to the Associated Press. "This is old data that was previously reported on in 201. We found and fixed this issue in August 2019." Facebook told the AP. Leaky databases, breaches and bugs have dominated Facebook in 2019 and it is still unclear from Facebookâs statement what precise incident it is referring to. In December 2019, Facebook reported a hacked database containing the names, phone numbers and Facebook user IDs of 267 million users. The data, according to researchers at the time, was stolen from Facebook's developer API before the company restricted API access to phone numbers and other data in 2018. Other possibilities include the fact that Facebook's API could have a glitch, enabling hackers to access user IDs and phone numbers even after access was restricted in 2018. Another theory included that the data was scraped from publicly visible profile pages.
Hudson Rock's Gal stated that the data he found represent users in 106 countries, with 32 million based in the United States. Each of the records contained Facebook IDs, full names, mobile phone numbers, user locations, past locations, birthdates and email addresses.
Breach notification site Have I Been Pwned began letting people to check if any of their personal information was part of the data breach. Site publisher Troy Hunt said via Twitter, that his site is currently only allowing visitors to check their status using an email address. That will only be so useful since only 2.5 million out of the 533 million Facebook member records also included an email address. Another option is using the site The News Each Day, which allows anyone to enter a phone number and receive a reply to whether your data was compromised. It's unclear what the site's privacy policy is beyond a one sentence that reads, "This site uses Google Analytics to keep track of how many people use it."