Half a billion Facebook users’ data has been on the loose for years

• Personal information of over 500 million Facebook users from 106 countries was found on a hacker website
• The database was initially being sold on instant messaging platform Telegram for a fee of US$20 per search
• Facebook claims that it’s an old data leak and it had patched the vulnerability that has caused the leak in 2019 – without officially addressing the recent security concern

Personal information on hundreds of millions of Facebook users – including names, birth dates, and phone numbers – has reportedly been posted to a website for hackers since 2019. The data leak had allegedly gone on under-the-radar for more than 24 months, and could be the biggest data breach yet for the social media giant.

The data set contains information on 533 million users from 106 countries, according to Business Insider, which first reported on its availability. The data, which appears to be years old, was first discovered making the rounds in hacker circles in January 2019 by Alon Gal, CTO of cybercrime intelligence firm Hudson Rock. The database was initially being sold on instant messaging platform Telegram for a fee of US$20 per search. Facebook then said that it had patched the vulnerability that had caused the leak but in June 2020 and then again in January 2021, the same database was apparently leaked again.

There are records for more than 32 million accounts in the United States (US), over 11 million in the United Kingdom (UK) and Malaysia respectively, and six million in India, according to Gal. The data leaked includes names, mobile numbers, emails, gender, occupation, city, country, marital status, and others. 

Hudson Rock even showed CNN Business the phone numbers of two of its senior staff which is included in the database. “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” Facebook spokesperson Andy Stone told CNN on Saturday. Facebook however did not say if it notified affected users at the time, but a spokesperson tweeted that the data was from an old leak.

“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” Facebook spokesperson Liz Bourgeois said. Despite its age, the data set could provide valuable information to identity thieves and other scammers. “Bad actors will certainly use the information for social engineering, scamming, hacking, and marketing,” Gal said in a tweet on Saturday.

All 533,000,000 Facebook records were just leaked for free.

This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.

I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8

— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021

The social networking giant has grappled with several privacy and security issues over the years. Earlier in 2019, security researchers found a nearly-identical amount, said to be more than 540 million Facebook user records, including comments and likes, in a public database on Amazon’s cloud servers. Later that year, TechCrunch reported on a server that contained several databases filled with more than 419 million Facebook records from users in the US, UK, and Vietnam. Within the same year, a security researcher discovered a trove of data anyone could access online containing more than 267 million Facebook users’ phone numbers, names, and user IDs. 

The cost of social data being sold

Arguably the world’s most popular social media network with more than two billion monthly active users globally, Facebook stores enormous amounts of user data, giving it a massive data trove. Every day, users feed Facebook’s data beast with mounds of information. Every 60 seconds, 136,000 photos are uploaded, 510,000 comments are posted, and 293,000 status updates are posted.  

Data breaches have unfortunately become a common occurrence today. Some breaches have a wider-reaching impact when compared to others, as the affected parties might have more valuable data exposed, or like in the case of Facebook, be in possession of so much user data that any leak can be considered a serious breach of trust.

As bad as this is for the impacted consumers, it puts a toll on digital businesses too. For giants like Google, Facebook, Microsoft, and Apple, a data breach could cost them anywhere from US$2 billion to well over US$10 billion in damages, reports suggest. Perhaps not enough to send these tech behemoths looking for bankruptcy lawyers, but more than enough to get their collective attention.

Researchers with Privacy Affairs analyzed hundreds of listings last year on the dark web, where hackers routinely exchange stolen credentials. A hacked Facebook account goes for US$74.50 on average, while Instagram accounts averaged US$55.45 and Twitter logins went for US$49 on average.