The personal data of more than 500 million Facebook users became widely available online this weekend, although the social media giant said it fixed the vulnerability used by hackers two years ago.
Hackers had developed software to imitate Facebook and obtain users’ information, so the social media giant said it removed people’s ability to discover each other via their phone numbers.
Alon Gal, chief technology officer at cybercrime intelligence firm Hudson Rock, said on Twitter that users’ leaked information included phone numbers, Facebook identification, locations, and some email addresses. Mr. Gal sounded the alarm about the data this weekend.
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” Mr. Gal wrote on Twitter.
Facebook, however, said the problem is not new and that the company resolved the issue in its contact importer feature in 2019. Prior to that fix, Facebook said sophisticated software code allowed hackers to imitate Facebook and find users paired to a phone number. By using an algorithm, hackers could match more numbers to users and collect information from users’ profiles.
“This is old data that was previously reported on in 2019,” said Liz Bourgeois, Facebook spokesperson on Twitter. “We found and fixed this issue in August 2019.”
Given the size and scale of the records, validating the authenticity of the leaked records is a challenge. A sample of the data was reviewed by Business Insider, which said it verified several records. Mr. Gal observed more than 32 million users in the United States affected by the breach.
If the data in the leak is fully authenticated, it could prove to be the “first, truly global phone book,” noted Tomasz Onyszko, founder of cloud services company Predica, on Twitter.
Troy Hunt, founder of Have I Been Pwned, which lets people know if they are affected by data breaches, said on Twitter that the data leak could prove useful for targeted attacks.
“For spam based on using phone number alone, it’s gold,” Mr. Hunt said on Twitter. “Not just SMS [text messaging], there are heaps of services that just require a phone number these days and now there’s hundreds of millions of them conveniently categorised by country with nice mail merge fields like name and gender.”
The information could prove useful to hackers leveraging Facebook to attack vulnerable targets. Last month, the company revealed it disrupted attempts by Chinese hackers to access users’ accounts and distribute malware.
Among the tactics they employed, the hackers posed on Facebook using fake accounts that looked like they belonged to journalists, human rights advocates and students to build the trust of targeted victims, particularly Uyghur users, whom the hackers wanted to surveil, Facebook officials said.
It’s not just cybercriminals and China looking to use Facebook and social media to surveil targets, as the potential consumer base spans the globe. Hackers, cyberattackers and countries have all shown interest in accessing private information contained on social media whether by technological hacks or by developing insiders.
Last year, former Facebook employee Behdad Esfahbod told The Washington Times he was forced by the Iranian regime to agree to spy on westerners to secure his release from Tehran’s Evin Prison.