Facebook data breach exposes details of 500 million users

A massive data breach has exposed the personal information of over 500 million Facebook users. According to security researchers, the leaked data is now being shared freely online.

In this article, we’ll tell you about the breach, and explain why it matters from a security standpoint. We’ll also show you how to keep yourself safe in the weeks and months ahead.

Fast facts about the Facebook data breach

On April 3, Alon Gal, CTO of the cybersecurity firm Hudson Rock, revealed that personal data from over 500 million Facebook accounts was being shared on a public hacking forum. 

The leaked data contains a wide range of personally identifiable information, including: 

• Facebook account IDs
• Full names
• Telephone numbers
• Email addresses
• Birthdates
• Physical location
• Biographical information

The affected accounts appear to come from all over the world. The leaked data includes over 30 million users in the United States alone.

A Facebook spokesperson told reporters that the massive trove of data is from a 2019 breach. Back in 2019, a vulnerability (since patched) allowed bad actors to scrape vast amounts of personal data from Facebook accounts. 

Yet while the breach may be several years old, the fact that it’s freely available online is new — which is why this story is causing so much concern.

How can hackers use this data?

The Facebook data breach is troubling from a privacy standpoint. But is it a security risk? 

Unfortunately, the answer is a clear yes.

For one thing, the leaked data contains exactly the sort of personally identifiable information that bad actors like to use in social engineering attacks, or to perpetrate identity theft. 

In addition, the combination of Facebook IDs and associated email addresses could result in bad guys attempting to hack into people’s Facebook accounts directly. If successful, this could lead to further compromise, or be used to send out scam messages to contacts.

In terms of the threat from phishing attacks, it seems that relatively few email addresses were leaked. But the exposed telephone numbers are another matter. According to data breach expert Troy Hunt, those phone numbers could be extremely useful to scammers and spammers:

For a targeted attack where you know someone’s name and country, it’s great for mobile phone lookup … [and] for spam based on using phone number alone, it’s gold. 

Lastly, the fact that this incident is so high profile might spawn a wave of “Facebook data breach” phishing emails. After a big data breach, hackers often send out fake emails in which they impersonate the company that suffered the breach. They offer people help, information, or financial compensation in an attempt to steal sensitive data or login credentials. 

How to check if your account was affected

To check if the email associated with your Facebook account was exposed, you can use Troy Hunt’s data breach aggregation site Have I Been Pwned (HIBP).

However, bear in mind that most of the Facebook accounts in this breach didn’t have the associated email addresses exposed. Thus, if you don’t see yourself in the HIBP results after entering your email, it doesn’t mean that you’re safe. It just means that your email address wasn’t part of the breach.

Hunt has also added support for phone number search to the website; so to see if your phone number was leaked, enter the number (using the international format) into the same search field on the HIBP main page.

How to protect yourself

In the aftermath of such a large breach, it’s only natural to wonder if you’re truly safe … and how you can protect yourself. Here are a few steps you can take:

1. To safeguard against a possible hack of your Facebook account, change the password for your account and enable two-factor authentication (2FA). If you’ve confirmed that your email address was one of those exposed in this breach, then change your password for that account as well, and enable 2FA for additional security.

2. For the foreseeable future, be extra vigilant when it comes to phone scams. If you receive an unsolicited call, don’t give the caller any sensitive information over the phone. Ask for a case ID or reference number, and then call whatever organization the caller says they’re from — but at a number that you’ve looked up independently.

3. Be on the lookout for identity theft. If you’re not sure what to look for, review the basics of what identity theft is, and of how to prevent it. Facebook users in the United States may also want to consider putting a freeze on their credit files as a preventative measure. The U.S. Public Interest Research Group (U.S. PIRG) maintains a step-by-step guide that shows how to do this.

4. If you receive an email, call, or text from someone claiming to be from Facebook, and offering assistance or information about the breach, be very careful. Remember that hackers often use high-profile breaches as the basis for phishing and social engineering attacks. If you think need a refresher, take a few minutes to review best practices for spotting and avoiding phishing attacks.

5. Share the information in this article with people who may not be as aware of cybersecurity issues as you are. Phone scams often target the elderly in particular, so if you have older friends or relatives who use Facebook, take a moment to let them know how they can stay safe.

An ounce of prevention …

When companies collect user data, it can very easily become a cybersecurity issue in the event of a breach. Facebook has an unusually problematic track-record on privacy. But it’s certainly not the only company out there that’s hoovering up vast amounts of user data. So what can you do to keep yourself safe?

To be frank, social media platforms, apps, websites, and companies can’t be trusted to keep your data secure. For this reason, it’s best to avoid giving them your information in the first place! Here are a few ways to do this:

• Never give out “extra” personal details (i.e. more than what’s strictly necessary), whether you’re signing up for a new social media platform or filling out a loyalty card application at the local supermarket.
• Research how apps handle your data with Apple’s App Store Privacy Labels; pay special attention to data collection and data sharing practices. If you don’t like what you see, consider using a different app.
• Use Sign in with Apple as a privacy-friendly login option whenever possible. Sign in with Apple lets you create new accounts with a bare minimum of personal information. It also allows you to conceal your real email address from developers.
• Learn how to use the OS-based privacy features that come with your iPhone or your Mac. There are options to limit photo sharing and network access, to enable and disable location and Bluetooth services, and more.