In April 2021, leaked information from some 533 million Facebook accounts become available online to anyone for free, or at least willing to pay a few dollars. The affected data isn’t from a new breach, but poses privacy and security risks all the same.
Let’s look at what happened here and how to find out if you were affected.
Leaked Facebook Data Resurfaces
In 2019, Facebook suffered a major data breach. Attackers were able to exploit a feature of Facebook that allowed you connect with friends easily by using your contact list. They used this to scrape phone numbers and other personal information from hundreds of millions of Facebook accounts.
The company has since resolved this vulnerability, but of course the information is still floating out in the wild.
Normally, when these types of breaches happen, the people with the stolen data sell or auction it off to make money in dark corners of the web. So this data has been in the hands of malicious individuals since it was leaked years ago.
Now, however, those who have the information apparently decided to make it as close to freely available as possible for anyone to access, using platforms like Telegram. This is what makes this incident more significant—the information is for sale for a few dollars, if anything.
https://twitter.com/UnderTheBreach/status/1378314424239460352
The leaked information includes full names, phone numbers, Facebook ID numbers, general location, dates of birth, and more. Email addresses were included in some cases, but not all.
None of this is extremely sensitive data like passwords or credit card numbers, but it’s still damaging, of course. At a minimum, it exposes people to more spam phone calls and texts, as well as making where they live public information.
How to Check If Your Information Was Exposed
If you have a Facebook account, you likely want to know if your data was included in this breach. The best place to do this is Have I Been Pwned, a free tool from security researcher Troy Hunt. It allows you to enter your email address, which is then checked against the records of known data breaches.
Ordinarily, Have I Been Pwned wouldn’t have been very useful here. As mentioned, phone numbers were the primary identification method leaked in the Facebook breach—not email addresses as is often the case. However, after receiving a lot of interest from users, Hunt added the option to search for your phone number to the site.
You can now search @haveibeenpwned for phone numbers in the Facebook data. Here's why, and how it works: https://t.co/xUnMTE26Ms
— Troy Hunt (@troyhunt) April 6, 2021
Enter your phone number in international format (include a 1 at the start for US numbers) to check if it appears in any breaches, including the Facebook breach.
A tool from The News Each Day also appeared after news of this data breach broke, allowing you to do the same thing. This site doesn’t have any kind of privacy policy to explain what it’s doing with your number, though it did come up with a more private version of its tool that sends random numbers along with your real number.
Have I Been Pwned is thus a more trusted option, but you can get a second opinion here if you want.
Staying Safe With Leaked Information
If your information was compromised in this Facebook data leak, there are a few ways to stay safe. First, you should make sure you have two-factor authentication enabled on your email account, Facebook account, and other important services. This reduces the risk of someone using compromised information to break into one of your accounts.
Second, be vigilant for scams that might try to use this new information. With your full name, email address, phone number, and general location, someone could come up with a fairly convincing spoofed email or text message. They might reach out to your friends with a fake “emergency” and ask for money, for example.
It’s not a bad idea to let your friends know—on social media or elsewhere—that your data was compromised. Warn people to watch for any shady activity that claims to come from you.
Otherwise, be careful of new scams sent to your phone number that pretend to be legitimate entities. Someone could call posing as a government entity, and use the information exposed in this breach to convince you that they know a lot about you.
Another Facebook Meltdown
This isn’t the first time that Facebook has suffered a major data breach, and it probably won’t be the last. While your information might have already been exposed when this data was stolen in 2019, it’s now available to a much wider audience of people who want to use it for nefarious purposes.
If you’re fed up with Facebook over this mishandling of data, this is a good excuse to delete your Facebook account. Otherwise, stay safe by understanding the many ways your passwords could be stolen, too.