A dataset with personal data of some 533 million Facebook users has been posted on a rogue hacker forum. This includes an estimated 5.4 million Dutch people. It mainly concerns telephone numbers.
Security researcher Alon Gal reports that these include phone numbers, Facebook IDs, full names, locations, previous locations, dates of birth, gender, relationship status, bio- texts , account creation date, employer and email addresses. Only the latter is much less common than the rest: 2.5 million times. The number of Dutch people is an estimate of RTL tech journalist Daniël Verlaan, who has viewed the dataset. The affected users are spread across 106 countries and, according to Bleeping Computer , “almost all” entries contain a phone number.
A Facebook representative has commented on the development on Twitter , but does not go into detail. “This is old data reported in 2019. We found and solved the underlying problem in August of 2019”.
Alon Gal already raised the bell about the data in January . At the time, it would be offered to interested parties via a Telegram bot. Back then, malicious parties had to pay an amount per user, but now the entire dataset is posted on the same forum and can be downloaded for free. He states that it is a vulnerability that was exploited ‘early in 2020’, but that is not in line with the statements of the Facebook representative. Another commenter has also corrected him, stating that the vulnerability was resolved ‘early in 2019’.
Gal told Bleeping Computer that the vulnerability was probably in the ‘add friend’ feature that allowed access to the phone numbers of strangers. The rest of the data may have simply been scraped from public profiles.
The database has been added to Have I Been Pwned, but because it works based on email addresses, the site lists 2.5 million accounts instead of 533 million.
