The personal details of more than 533 million Facebook account holders from 106 countries have been made public on a cybercriminal forum.
This information is not newly stolen, reports indicate. It was scraped in 2019 when an attacker exploited a vulnerability in the platform to match random phone numbers with Facebook profiles, The Record reports. The company detected this activity and blocked the attacker's access.
"This is old data that was previously reported on in 2019," wrote Liz Bourgeois, Facebook's director of strategic response communications, in a tweet. "We found and fixed this issue in August 2019."
But while the data itself may be a couple of years old, it could prove relevant and handy to scammers who want to impersonate individuals or launch spear-phishing attacks, wrote Alon Gal, CTO and co-founder at security firm Hudson Rock, in a tweet discussing the massive data leak on April 3. The 553 million Facebook users affected make up about 20% of its total user base.
The leaked personal details include phone numbers, Facebook IDs, full names, location data, gender, birthdates, account creation dates, relationship status, and employer,s among other profile information. In some cases, the user's email address was also shared.
"Bad actors will certainly use the information for social engineering, scamming, hacking, and marketing," Gal wrote.
HaveIBeenPwned, a website that lets people check whether their personal information has been compromised in data breaches, notes the primary value of the leaked data is the link between phone numbers and identities. While each affected record included a phone number, only 2.5 million contained an email address.
Those curious to know whether they've been affected can enter their email into HaveIBeenPwned. Its creator, Troy Hunt, is considering whether to make phone numbers searchable as well.