Facebook login credentials and other information like phone number, location details, etc. of over 533 million global users have leaked online. Out of the total number of affected users, over 6 million exposed Facebook credentials belong to Indian users. Security researcher Alan Gal discovered a user on a hacking forum made the entire dataset public for free.
Gal claims that the data was first leaked in January when the user “advertised an automated bot that could provide phone numbers for hundreds of millions of Facebook users in exchange for a price”. The user has now made the entire leaked Facebook data, public. The data includes Facebook IDs, phone numbers, email IDs, names, location details, birthdate, etc., of over 500 million users. A Business Insider report reveals that out of the 533 million users from 106 countries, 6 million users are from India.
Data of over 32 million American users and 11 million UK users have also been exposed publicly. Facebook told the publication that the hackers took advantage of a vulnerability that was fixed in 2019. However, hackers might have had access to the information before it could fix the bug.
“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” Gal told Insider.
Given that the sensitive data is already out in the public, hackers can take advantage of it and perform all kinds of attacks to extract more information.
This is not the first that hackers used Facebook’s lapse to their advantage and stole sensitive data. In 2019, over 419 million Facebook users’ phone numbers had been exposed online. Facebook confirmed parts of the reported claim but downplayed the extent of the exposure, saying that the number of accounts so far confirmed was around half of the reported 419 million.
The same year, details of over 540 million Facebook users was publicly accessible after a massive cache of unprotected data was discovered on unsecured Amazon servers used by a Mexican social media firm.
To check if your credentials were part of the list, you can visit CyberNews’ personal data leak check which is an online repository of known credential leaks. You can also query have I been pwned, another data repository. If your credentials were among the ones leaked, it is recommended that you immediately change your password. You should do that once a month anyway.