Apr 3, 2021 - Technology

Personal data of 500 million users surfaces in leak that Facebook calls "old"

Facebook CEO Mark Zuckerberg testifying before a House Judiciary Subcommittee in July 2020.

Facebook CEO Mark Zuckerberg remotely testifying before a House Judiciary Subcommittee in July 2020. Photo: Mandel Ngan/POOL/AFP via Getty Images

A leaker said Saturday they are providing personal information on 533 million Facebook users, including phone numbers, locations, birthdates and other data.

The latest: Though the data is resurfacing, the issue connected to the leaked data was "found and fixed" in August 2019, a Facebook spokesperson told Axios in a statement.

How it worked: "With this ‘new’ case, we were provided with a sample of the data and it matched previously known data related to the Contact Importer vulnerability that was fixed in late August 2019," the company spokesperson said.

  • Facebook at the time disabled functionality that previously made it "possible to input multiple phone numbers and, by running an algorithm, connect which number matched to a specific user."

Why it matters: The data, which can be accessed for free, may be used by cybercriminals to steal identities and scam or extort money from victims, according to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, which discovered the leaked data.

  • Gal noted the database appears to be the same set of Facebook-connected phone numbers circulating since January and that was originally reported by Motherboard, per Reuters.

By the numbers: The leak includes data from 32 million users in the U.S., 11 million users in the UK, and 6 million users in India.

Of note: It contains phone numbers, Facebook IDs, full names, locations, birthdates, bios and email addresses. It notably does not contain password information.

  • The data is personal, but much of it is likely to be public already, though perhaps not in this form.

What they're saying: “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts," Gal told Insider.

  • "Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook [is] supposed to treat the data with utmost respect." he added. "Users having their personal information leaked is a huge breach of trust and should be handled accordingly."
  • Gal said Facebook can't do much to help affected users because their data has already been posted, but he said Facebook can notify the users so they can watch for scams or frauds.

Our thought bubble via Axios' Scott Rosenberg: Any information you provide to Facebook or post there is sooner or later likely to end up public, even if you try to keep it private or specifically restrict it to your friends.

  • That doesn't excuse Facebook from responsibility for protecting its users, but at this point in Facebook's history, it's a realistic assumption for any user's self-defense.

Editor's note: This story has been updated throughout with Facebook's comments and to clarify the data leaked was originally found in 2019.

Go deeper