Some 533 million Facebook user records are being offered up for free on an online hacking forum, multiple sources report.
The good news, if there can be any in this situation, is that the data is old and has been available to cybercriminals for at least two years. Facebook said in statements to The Record (opens in new tab) and Bleeping Computer (opens in new tab) that it was all data that had been "scraped" — copied from the Facebook website without Facebook's permission — before a loophole was closed in 2019.
- How to stop Facebook from blabbing out your phone number
- The best identity theft protection services
- Plus: Why I switched back to Apple TV after a month with the Fire TV
The bad news is that the data contains full names, email addresses, mobile phone numbers and sometime birthdates, exactly the type of things that people tend not to change. Spammers and scammers could use the information to target people with personalized emails or text messages.
The data is pegged to phone numbers, and it wasn't stolen from Facebook. Rather, it was "scraped" more or less legally from data that Facebook had made public.
Facebook used to have a feature where you could punch in a phone number, even a total stranger's, and you'd get a link to any Facebook account associated with that number. You could look up only one number at a time.
What could possibly go wrong? Pretty soon someone rigged up a computer to generate valid-format phone numbers, toss 'em at Facebook and harvest a list of the resulting accounts and all their publicly available details.
At the end, you'd get a reverse-lookup phone book with hundreds of millions of entries. That's what is now being offered up online.
What can I do about this?
If you have a Facebook account, it doesn't mean your data is in this stash. The person who is offering this data claims to have already broken down into country-specific batches. The U.S. batch numbers about 32.3 million records, and the Canadian one about 3.5 million. That's a lot of users, but they're a small fraction of the estimated 258 million Americans and Canadians (opens in new tab) who are on Facebook.
Only people who gave Facebook their phone numbers would be included, and even then, you may not be in it.
Considering that the Facebook apps for Android and iPhone will try to grab your phone number and those of all your contacts as soon as you install the apps, Facebook probably has a whole lot more than 36 million North American phone numbers.
So what can you do about this? Be wary of random emails, texts, instant messages and social-media posts that promise riches or rewards, or tell you that you need to take urgent action to avoid paying fines and fees you didn't previously know about.
The best Windows 10 antivirus and best Mac antivirus software will screen out some scamming attempts on your computers; so will the best Android antivirus apps if you're not on an iPhone. If you do use an iPhone, just keep your wits about when replying to emails, texts and messages.
How to check if your email address is part of this
Troy Hunt, who runs the breach-lookup service HaveIBeenPwned (opens in new tab), analyzed the data set over the weekend and found only 2.5 million email addresses among the 533 million individual records. About 65% of the email addresses were already in the HaveIBeenPwned database, Hunt said on Twitter (opens in new tab).
Not many of the records, relatively speaking, had dates of birth either. That means the data is mostly just phone numbers and names, about what you'd find in an old-fashioned phone book but still useful to spammers and scammers.
So what's the impact? For a targeted attack where you know someone's name and country, it's great for mobile phone lookup. Much harder to do en masse as there's no reliable key; I couldn't take a big list of emails and resolve them to phone numbers as email is rare in the data.April 3, 2021
Hunt has added the Facebook email addresses to the HaveIBeenPwned database, and is considering whether to add the phone numbers as well. To see whether your email address is affected, go to https://haveibeenpwned.com/ (opens in new tab)