“The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India,” according to Insider. “It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.”
If that 533 million number might sound familiar to you, that’s because this information is apparently from the same dataset that people could pay for portions of using a Telegram bot, which Motherboard reported on in January. Now, though, it appears that those who want to get their hands on the data won’t have to pay anything at all.
Facebook told Insider that this data was scraped because of a vulnerability that it fixed in 2019. The company gave a similar answer to Motherboard in January. “This is old data that was previously reported on in 2019,” Facebook told BleepingComputer. “We found and fixed this issue in August 2019.” Facebook has not replied to a request for comment from The Verge.
Troy Hunt, the creator of the Have I Been Pwned database, said on Saturday that “I haven’t seen anything yet to suggest this breach isn’t legit.” In the data, he found only about 2.5 million unique email addresses (which is still a lot!), but apparently, “the greatest impact here is the phone numbers.” Here’s what that might mean, in Hunt’s words:
If you can, I strongly recommend taking a couple minutes to read Hunt’s full Twitter thread about the breach.
Hunt has already loaded the leaked email addresses into Have I Been Pwned, meaning you can check to see if yours was included as part of the dataset. He is still considering whether or not to make the leaked phone numbers available through the service.