A massive database containing the personal information of over 500 million Facebook users has been posted on a hacking forum for free, enabling cyber criminals from all over the world to exploit the data to target Internet users worldwide.
The massive database was initially created by hackers who exploited a critical vulnerability in the Facebook application to scrape the personal information of millions of users from all over the world. According to Alon Gal, the co-founder and CTO of Hudson Rock, the database contained information of around 533 million users, including 11.5 million people in the UK and 32 million people located in the United States.
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
As recently as in January this year, operators of the database allowed Telegram users to query the database in exchange for a fee, enabling the latter to view phone numbers associated with millions of Facebook accounts. However, things got much worse recently when a hacker made the entire database available on a Dark Web forum for free, enabling anyone with basic data skills to view the personal information of 533 million Facebook users.
All 533,000,000 Facebook records were just leaked for free.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
According to Business Insider, personal information of Facebook users stored in the database includes users' "phone numbers, Facebook IDs, full names, locations, birthdates, bios, and - in some cases - email addresses." The massive trove of data was exfiltrated by hackers who exploited a vulnerability in the Facebook application to scrape user data.
The vulnerability, according to an Apple spokesperson, was fixed in 2019, indicating the database does not contain the information of users who joined the platform after the fix was introduced. However, it may be fair to assume that a vast majority of the leaked accounts are still in use, and information such as email addresses and phone numbers are still the same for the affected users.
This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019. https://t.co/mPCttLkjzE
— Liz Bourgeois (@Liz_Shepherd) April 3, 2021
This isn't the first time that Facebook, by far the world's largest social networking platform, has allowed hackers to scrape and exfiltrate the personal data of millions of users. In April last year, a hacker put up over 267 million Facebook records, including users’ profile IDs, names, and phone numbers, for sale on a Dark Web forum.
The publicly accessible and unsecured database was discovered by security researcher Bob Diachenko who counted over 267 million Facebook IDs, phone numbers, full names, and timestamps, with most of the records associated with American users.
According to Comparitech who partnered with Diachenko to investigate the unsecured database, cyber criminals could have obtained the information from Facebook’s developer API that gave developers access to profiles, friends list, groups, and photos. Until 2018, developers could also access phone numbers associated with unique Facebook profiles.