Facebook Says Data Comes from Previously Reported 2019 Incident
A security researcher has found more than 500 million Facebook records made available for free on the darknet, exposing basic user information, including any phone numbers associated with the account.
Alon Gal, chief technology officer at Hudson Rock, found the 533 million records in a darknet forum, representing users in 106 countries and containing phone numbers, Facebook ID, full name, location, past location, birthdates, in some cases an email address, account creation date, relationship status and the biographical information submitted by the account owners.
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” he tweeted.
Facebook, in a statement quoted by the Associated Press, claims this is old news.
“This is old data that was previously reported on in 2019,” Facebook reportedly said. “We found and fixed this issue in August 2019.”
Gal first spotted the database earlier this year when he noticed that a malicious actor had created and was advertising a Telegram bot that allowed a person to search the database and find phone numbers linked to accounts, but it was not open at that time.
Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts.
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
The database is now available for free, Gal says.
Business Insider reports that the data is several years old and that a Facebook spokesperson says that the data was scraped due to a vulnerability that the company patched in 2019.
A Facebook representative could not be reached immediately by ISMG for comment.
Facebook’s Data Breach History
In 2018, 30 million Facebook accounts were breached, with 14 million accounts suffering an extensive amount of detail compromised. This information included the account holder’s 15 most recent searches, the last 10 places they checked into and the device types used to access Facebook. For another 15 million account holders, the hackers accessed only name and contact details – phone number, email address or both. The attackers did not gain access to any information for another 1 million people whose accounts were affected (see: Facebook Clarifies Extent of Data Breach).
In December 2020, Compliance Week reported that Facebook had set aside $366 million to cover expected GDPR fines that could result from an investigation being conducted by Ireland’s privacy agency (see: Ireland’s Privacy Watchdog Probes Facebook Data Breaches).