Blog

Did Facebook’s Massive Data Leak Include Your Phone Number?

april 20, 2021 | data breach
Half a Billion Facebook User Files Spilled Online

Half a Billion Facebook User Files Spilled Online

Over 500 million Facebook (FB) user files appeared on a popular hacker web forum over the weekend, causing an uproar and making headlines worldwide. News of the download spread at light speed in part because the data was downloadable for a mere $2 fee.

A mind-boggling 533 million individuals from over 105 countries could now be at increased risk for spamming, smishing, phishing, scamming and ultimately identity theft.

Ask Yourself

Potential victims of any data breach initially want to know what data the hackers compromised. This leak of personally identifiable information (PII) for customers contains full names, addresses, phone numbers, dates of birth, FB biographies, and some email details. The data dump also includes marital status, occupation, employer and FB ID numbers for millions.

To date, countries hardest hit in terms of total files compromised include Italy and Egypt; the U.S. sits in the fourth position with over 32 million files compromised.

Was it Me?

Next, individuals wonder whether their info was part of the theft. Here’s where it gets challenging--finding out whether your data was involved. Right now, that might be a tricky question to answer. The fastest (and safest) way to check is to visit haveibeenpwned.com. "Pwned" is a coder term for being hacked, and this website's the brainchild of independent Australian security researcher Troy Hunt.

It can reveal whether your email is part of the data find but that won’t notify everyone. When Hunt uploaded the new data specs on Sunday, he wrote, "The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address."

Hunt added that he noted relationship status in some files, and he's seen the complete data set popping up on social media everywhere.

Hunt's data breach repository just added a search function to determine whether phone numbers were compromised. It has always allowed checks on email addresses or passwords that could be exposed. Since only 2.5 million email addresses reside in the leaked files, Hunt weighted the consequences of adding phone digit search in response to demand. That feature went live April 6th.

New or Resurrected Data Breach?

Facebook wants your mobile number to verify accounts or your identity if you misplace a password and cannot log in. Some users might find it convenient--until a breach like this hits the internet.

This isn't Facebook's first rodeo. There's the notorious 2018 Cambridge Analytics/Facebook arrangement that tapped user "likes" to determine their political leanings. Other breaches have involved cloud server buckets left unsecured. In August 2019, the company announced it had fixed a bug connected to the "Add Friend" feature.

This Friend bug reportedly leaked an estimated 540 million files, and some security researchers believe that it provided the foundation for these new downloads. It's not unheard of for hackers to first offer a data trove like this one for thousands of dollars, then eventually expose the data online at no charge.

FB has reportedly confirmed to some media that the 533+ million files leaked on August 3, 2021, is from the older data breach the company remedied, but that's small comfort for the victims. However, if true, it does mean that data from this group of victims was already in limited circulation for several years.

Most Likely Attack Paths

Scammers utilize this data in multiple ways, but phishing or smishing (phishing by text) will top the list. That means you'll receive texts or calls on mobile devices.

The emails compromised will also lead to phishing, social engineering or data seeking, but they represent less than .05% of the complete download. FB currently boasts over three million users.

A risk of cell phone compromise also exists if your apps require 2 Factor Authorization, known as 2FA or MFA. This can lead to SIM card compromises and significant smartphone issues, including takeovers.

What's still unknown is other methods that would utilize this exposed data. When's the last time you began to create a new online account, and the site prompted you to log in via your Facebook or Google account? If Facebook ID numbers were compromised as reported, it's time to change your FB passcode to prevent any misuse on sites where you have credit card data stored. Ditto if you use FB pay or Google Pay.

Shield Yourself

IDShield's plans monitor many key data points, including phone numbers, email addresses, home locations, and more. Our goal is to alert you to any breaches involving your data to help you take proactive steps fast.

It is possible to remove your cell number from FB's files if you're one of the users who didn't want to share their numbers but surrendered the details to avoid the constant pop-up reminders.

Is it any consolation to victims that FB's leader, Mark Zuckerberg, also had his cell number exposed in this leak? That's debatable, but exposed users would probably love it to send him their thoughts on this latest FB data exposure.

LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.