A hacker has published the personal information of 533 million Facebook users on a hacking forum for free. The information includes Facebook IDs, names, phone numbers, birth dates, and location. In some cases, the data also included email addresses.
This isn’t the first time this particular leak has surfaced online, although the fact that it has re-emerged and is now available for free is troubling. The re-emergence was first reported by Business Insider after it was discovered by Alon Gal, who posted a Twitter thread about the leaked data.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
While Facebook says that the vulnerability that allowed this information to be scraped was patched in August 2019, that does nothing to protect the information that has already been leaked. It also does nothing to alleviate concerns that Facebook collects and monetizes its users’ personal information, but has a poor record of protecting that information from bad actors.
In that sense, the leak of a database that includes information on a half-billion users is worse than it might seem for two reasons. First, Facebook’s response shows that the company continues to lack any real sense of understanding of its responsibility to protect its users’ privacy.
“This is old data that was previously reported on in 2019,” a spokesperson told Bloomberg in a statement. “We found and fixed this issue in August 2019.”
It’s as if the company wants to take credit for fixing a problem because it patched a massive hole in its security, even though none of the stolen goods have been recovered. I reached out to Facebook directly, but the company did not immediately respond.
That’s a problem because Facebook knows a lot about you, perhaps more than any other company on earth. The information that Facebook gathers is what it uses to show you targeted advertisements. But in the hands of hackers and criminals, it can be used for much more nefarious purposes.
Imagine if robbers were able to steal the contents of a bank vault because someone left the door open and unguarded (which is basically what Facebook did with your personal information). That would be bad. It would be even worse if the bank’s response after the fact was, “Yeah, we know that a bunch of your money is gone, but we’ve closed the vault and changed the combination.”
The problem isn’t just that the vault was left open, it’s that everything inside was stolen and hasn’t been recovered. That’s the real problem and it hasn’t been fixed.
Of course, and this is the second problem, Facebook can’t get the information back. That’s not how things work in a digital world. It’s also probably why the company has yet to acknowledge its responsibility, or even notify individual users whose information has been compromised.
That’s why this is much worse than a bank robbery. Once your personal information is leaked online, there’s literally nothing that can stop it from being sold to anyone who might want to use it for less-than-noble purposes.
Especially concerning is the fact that, in many cases, the database included both email addresses and phone numbers. Considering that many people use their email address to log in to websites and accounts online, and that phone numbers are often used to verify your identity for those accounts, the fact that they are both contained in the same database could make it easier for criminals to gain access to your accounts.
I wrote previously about how smooth-talking hackers are able to use social engineering to gain access to your mobile number via SIM-swapping. That’s a big problem since we use phone numbers for two-factor authentication for everything from your email to your bank account. If a criminal gains control of your phone number, they can use it to gain control of your accounts.
It’s one thing to understand that tech companies like Facebook are tracking you and gathering your personal information in exchange for providing a free service. I just don’t think it’s that unreasonable to expect those companies to keep that information safe. That Facebook has shown, time and time again, that it can’t is especially concerning.