Updated: Apr 6
Alon Gal, CTO of Hudson Rock – a cybercrime intelligence and forensic company – first discovered the free database of hundreds of millions of Facebook users online in a relatively low-level hacking forum.
The news was first reported by Business Insider’s Aaron Holmes. The data has been confirmed by Business Insider and external security sources to be valid.
In total 533 million Facebook users from 106 countries had their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses exposed.
In response to the discovery, a Facebook spokesperson said -- “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”
Troy Hunt, Creator of Have I Been Pwned – the popular website which tells users whether their personal information has been compromised by data breaches and leaks reported via Twitter:
Typically cybercriminals wouldn’t give access to this level of database for free. They like to monetize this type of information as long as possible. With this free posting by cybercriminals, it’s safe to assume that this data has been bought and sold a few times, and we’re just now hearing about the availability of it publicly.
Even though the data from this leak is two years old, these types of leaks from top social media companies are still very much dangerous. Consumers do not typically upkeep a high level of password hygiene. They use the same passwords for multiple accounts and they don’t change passwords frequently. With the sheer volume and various types of data included in this leak, it gives hackers plenty of ammo to conduct phishing or social engineering attacks on a wide or targeted scale.
In terms of preventing these types of leaks moving forward, Avesta Hojjati, Head of R&D at DigiCert says this comes down to encryption.
"Once again, the importance of encryption of data at rest and in transit has surfaced. Today, the breach happens to impact Facebook, but tomorrow it could very well be other social media. We simply cannot prevent vulnerabilities from compromising users' data, but we can properly use proven solutions to eliminate the use of such compromised data."