Over the weekend, the private data of more than half a billion Facebook users from 106 countries ended up on the street. Details include the victims’ full name, Facebook ID, place of residence, date of birth and various contact details. Apparently, the same data set was up for sale in January, but cybercriminals and hackers can now download the information for free.
Two-Year-Old Data Breach
Alon Gal, CTO of cybersecurity firm Hudson Rock, raised the alarm last January. He discovered that sensitive data belonging to millions of Facebook users was being sold to interested parties via a Telegram bot. At the time, those who wanted to get their hands on the information had to pay a certain amount for each set of user records.
For those wondering what data is worth: it’s quite a lucrative business. Stolen information can change hands for anything from a couple of dollars to a few hundred dollars per identity.
The hacker advertised phone numbers associated with millions of Facebook accounts as proof that the data was valid. Alon Gal verified the information of some of the users involved in the leak and confirmed its validity. However, the security expert believes the data is at least a couple of years old. Nonetheless, most information is likely still valid, as most people would still be using the same phone number, for example.
Data of Half a Billion Facebook Users Available for Free
The hacker is now offering the whole database for free to other hackers and cybercriminals, on the dark web. Some records include victims’ Facebook IDs, first and last name, and telephone numbers, as well as more sensitive information, such as place of residence, date of birth, gender, email address, relationship status, and more.
In total, the private data of 533 million Facebook users from 106 countries have ended up on a hacker forum. According to a list of affected countries Alon Gal posted on Twitter, most victims are from Egypt (almost 45 million), followed by the US (32 million), Saudi Arabia (28 million) and France (19,6 million). ‘Only’ 11.5 million UK accounts and around 7 million Australian user records were leaked.
The breach allegedly relates to a bug Facebook said it fixed in 2019, when the personal information of over a quarter of a billion users was left exposed. The good news is that no passwords were obtained by the hacker. However, the perpetrator still managed to steal and scrape a huge amount of valuable and privacy-sensitive information.
Beware of Phishing and WhatsApp Fraud
Therefore, the data breach could still pose serious privacy concerns for millions of Facebook users. With the help of the exposed data, scammers can start sophisticated phishing scams. Because they know so many things about the victim, it’s easier to fabricate a compelling and personalized message. And thus trick a person into giving up even more sensitive information. They could also attempt identity theft, for example.
Moreover, phone numbers can be used by cybercriminals for WhatsApp fraud. In this case, scammers pose as a friend or family member and ask the victim to transfer money. If they don’t, they “are in danger of ending up in even more financial misery”, they say. Sadly, on average, victims loose thousands of dollars to WhatsApp scams.
Today an even more misleading form of WhatsApp fraud is emerging, known as WhatsApp hijacking. With this type of fraud, actual WhatsApp accounts are taken over by fraudsters. Another common trick to gain access to a victim’s WhatsApp account involves breaking into a victim’s voicemail box to steal the WhatsApp verification code.
2.5 Million Email Addresses Added to Have I Been Pwned
Australian security expert Troy Hunt has added the leaked data to Have I Been Pwned. However, he supplemented his database with only a mere 2.5 million new email addresses.
This is because only a relatively few email addresses were stolen and Have I Been Pwned only looks at email addresses. Hence, there is a real chance that if you have a Facebook account, your data has been stolen, even if you are not mentioned in Hunt’s database.
Alon Gal rightfully stated that Facebook needs to take on more responsibility for this breach. “I have yet to see Facebook acknowledging this absolute negligence of your data. It’s Facebook’s obligation to notify all affected users and they should do it as soon as possible”, he tweeted.