The consequence of one of the largest security breaches in Facebook’s history has been made public, exposing the personal data of 533 million users. Unlike other breaches, where email addresses have been leaked, this time there is data as sensitive as full name, phone number, date of birth, Facebook identifier, present and past locations, marital status and bio.
In the meantime, there are 10.89 million Spanish phone numbers next to the account nameIn other words, highly sensitive data has been leaked from almost one in four people in the country **. The breach data has now been posted for free on a hacking forum, but it has been sold for months even on Telegram bots.
Facebook has confirmed to Business Insider that the breach data was obtained due to a vulnerability that the company had in 2019, and that has already been patched. In September of that year, we published that a researcher had discovered a leak of more than 400 million users, which, due to characteristics, fits perfectly with the publication of this information.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
– Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
At the moment it is not possible to know if our phone is in the database
Although the database is old, in one of the January tweets from @UnderTheBreach, one of the accounts that reported on April 3 that the database was now offered free of charge, it was said that a 2019 vulnerability allowed the phone number associated with each Facebook account to be viewed, generating that base of 533 million users.
Troy Hunt, creator of have i been pwned has been reviewing the case, commenting that by searching the 108 files contained in the leak now offered for free, 2.5 million exposed email addresses have been found. Of those 2.5 million email addresses obtained, 75,758 are Spanish and are in plain text along with the almost 11 million numbers, as verified by Genbeta. At the moment it is the only thing that can be checked on said website, and not the phone numbers, so the website is not so useful on this occasion (at the moment)
Email parsing now done, found 2,529,621 unique addresses across the 108 files. Call it about 0.5% of all records having an email address.
– Troy Hunt (@troyhunt) April 4, 2021
Thus, in this case the 533 million telephone numbers (of which Hunt mentions finding something less, about 370 million, after having analyzed the hackers’ database files). Although they are not a widely used variable by hackers, as Hunt recalls, having the numbers of so many people is very useful for scams and other types of malicious practices. This researcher has doubts about whether to upload the telephone database to the web or not.
In fact, it is the mobile numbers of many Spaniards that are being used to try to deceive with the SMS scam Flubot, based on collecting many numbers and then sending them messages alerting them that they have packages from FedEx, DHL, Correos or MRW pending to be picked up.