Personal information associated with approximately 533 million Facebook users worldwide has been leaked on a popular cybercrime forum for free ($2.19)—which was harvested by hackers in 2019 using a Facebook vulnerability.
The leaked data includes full names, Facebook IDs, mobile numbers, locations, email addresses, gender, occupation, city, country, marital status, account creation date, and other profile details down by country, with over 14 million records belonging to users on the African continent, 32 million users in the U.S., 11 million users in the U.K., and 6 million users in India, among others.
The data which includes user information from 106 countries was originally sold in private sales after being collected in 2019 using a bug in the ‘Add Friend’ feature on Facebook. Facebook had closed this vulnerability soon after it was discovered, but threat actors continued to circulate the data until it was finally released practically for free ($2.19) on Saturday.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
In response, Facebook told BusinessInsider and several other publications that
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”
However, many people have found that response to be unsatisfactory.
“Fixed it how?” someone tweeted in response. “Clearly the data is still out there.”
“How do I change my date of birth?” reads another response.”
Also, “I’ve had the same email for a decade. Love these dismissive responses.”
And: “You’re head of Communications for @Facebook and this is your response!? How about “we’re deeply sorry for your data being exposed for a second time. Please contact our CS team and we’ll help you restore and protect your account.” Just try harder!”
How to check if your info was exposed in the Facebook data leak
Troy Hunt has since added the leaked data to his Have I Been Pwned data breach notification service to help users determine if a Facebook member’s data was exposed in the leak.
For those not familiar with Have I Been Pwned, it is an excellent resource that indexes data exposed in data breaches so that users can input their email address and list the data breaches that exposed their data.
To check if the Facebook leak included your email address, you can visit Have I Been Pwned and enter your email address in the search field. Once you click the ‘pwned?’ button, a list of all the data breaches the email was exposed to will be displayed.
Troy has tweeted that he is looking into how users can input phone numbers to see if they were exposed in the Facebook leak.
I’ve had a heap of queries about this. I’m looking into it and yes, if it’s legit and suitable for @haveibeenpwned it’ll be searchable there shortly. https://t.co/QPLZdXATpt
— Troy Hunt (@troyhunt) April 3, 2021
What does it mean if I have been pwned?
The word “pwned” has a surprising origin in video game culture and is a derivation of the word “owned,” accounted for by the proximity of the “p” and “o” keys on a computer keyboard. Pwned is generally used to imply that someone has been compromised or controlled in some way. For example, someone might be pwned in a data breach.
In this context, your account is usually one of many to have been compromised. In some cases, millions of email addresses and passwords are leaked during a single data breach. Not many years ago, a data breach that compromised the data of a few million people would have been considered big news. In recent years, however, breaches that affect hundreds of millions of people are all too common.
The dangers of a Data Leakage
One of the more serious consequences of data being exposed in the form of a pwned email or pwned password is identity theft. Identity theft can happen to anyone and lead to serious problems. This might include damaging your credit score and disqualifying you from loans. The cyber attacker could also drain your bank account or stall your tax refund, to name just a few possible outcomes. In the most extreme cases of identity theft, a cyberattacker could commit crimes in your name and get you wrongfully arrested. Proving that you were not the individual responsible for the crimes in question can be a challenging process.
What Can You Do if you have been pwned?
First, try not to panic. While having your data leak can be worrying, it is important to keep in mind that large-scale data breaches are a regular occurrence, which gives you at least some time to act and prevent further damage. Remember that gaining access to your data is just the start of a cyberattack. The key is to act before the hacker uses your data for their own gain. Here are three things you can do in the event of pwned passwords and pwned email addresses.
1. Change Your Password
If you get pwned, change your password as soon as possible. To find out if a password has been leaked in the past, try consulting “Have I Been Pwned.” This site allows you to safely confirm whether your password or email address has been compromised in the past.
When choosing your new password, security experts recommend using long passphrases instead of a random string of letters, special characters, and numbers. Additionally, many sites support multi-factor authentication (MFA), sometimes referred to as two-step authentication or two-factor authentication. MFA asks you to provide two or more pieces of evidence of your identity to be granted access to an account. A popular form of MFA combines a password with a code being sent to the user’s mobile device or email account. Using MFA is highly recommended wherever possible.
2. Choose a Unique Password
Studies have shown that people who use a unique password for every account they have are much less likely to be pwned. Despite this, a 2013 study found that more than half of people used the same passwords for all their accounts. This means that if a hacker manages to obtain your password, they have access to all your accounts, providing them with a goldmine of information.
The challenge of using a unique password with every account is that most online users have dozens of accounts. Remembering all those passwords can be almost impossible, which is where password management tools come into play. A password manager can suggest strong passwords and store them securely for you. Some password managers can even auto-complete them when you want to log in. Although there are certain security risks associated with using a password manager, they have proven themselves to be one of the safest and simplest ways of storing login credentials.
3. Strengthen Your Cybersecurity
Sadly, there’s nothing you as an individual can do to prevent large-scale breaches from occurring. There are, however, ways that you can enhance your own cybersecurity defenses. Email is one of the most common attack vectors because it allows cybercriminals to distribute malware with minimal effort on their part. Even experienced computer and email users can be deceived by an especially convincing spam email, and it only takes one mistake to get pwned. One way of reducing the risk of your email being compromised is to block unwanted senders and unsubscribe from unwanted emails. Bulk email cleaning tools can help with this.