A threat actor has published the phone numbers and account details for an estimated 533 million Facebook users. This is approximately a fifth of the entire social network’s user pool on a publicly accessible cybercrime forum.
The leaked data includes Facebook ID numbers, profile names, email addresses, location information, gender details, job data, and anything else users might have entered in their profiles.
The data is currently being offered in 106 separate download packages, with the data split on a per-country basis.
While the forum is publicly accessible and anyone can register a profile, the download links for these packages are only available to users who bought forum credits. Reached out for comment, Facebook confirmed the leak, which occurred two years ago according to the company. A Facebook spokesperson commented:
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”
At the time, an attacker abused a vulnerability in the Facebook contacts importer feature to supply the Facebook platform with a list of phone numbers and get a match for existing profiles, allowing the attacker to link random phone numbers to specific users. The attacker collected data in 2019, until Facebook detected the automated process, and cut off their access.
While the data appears to have been sold in private, it was also used as the backend of a Telegram bot launched in January 2021 that allowed anyone to retrieve the phone number and account details for Facebook users for a small fee.
With the data now entering the public domain, there is a real danger that this information will now be widely disseminated across low-skilled cybercriminals that may abuse it for email or SMS spam, robocalls, extortion attempts, threats, harassment, and more.
Below is a breakdown of the data, per country, as provided by the leaker.