500M Phone Numbers Exposed in Facebook Leak

John Lister's picture

A data leak has exposed the phone numbers of an estimated 500 million Facebook users. The data comes from a breach in 2019, but has just been made public.

According to Facebook, the breach was "found and fixed" in 2019, which has raised some eyebrows given the company never warned users their details may have been compromised. It argues the data wasn't hacked but rather "scraped" from publicly accessible information through a bug in its feature that lets users find the Facebook accounts of people in their phone contacts.

That may not be enough to satisfy data protection officials in several countries who are now investigating potential violations of laws that require companies to secure personal data.

Facebook has also said the people who collected the details didn't technically get hold of phone numbers from its systems. Instead, they supplied phone numbers and were able to retrieve the details of the accounts which had that phone number listed. Given that simply trying random phone number is a fairly simple task to automate, this doesn't seem like much in the way of mitigation. (Source: wired.com)

Zuckerberg Among Victims

A database of leaked details from the breach has reportedly been circulating privately among cyber criminals since the attack, but has now been published online in a hacking forum. It's said to cover 533 million users. In around 500 million cases, the leaked information includes a phone number. The company strongly encourages users to add cellphone details to their account, ironically as a security measure.

Some records in the database also include email addresses, though this only covers a few million users. The people affected come from at least 106 countries, with estimates of 30 million US users having their details exposed. This appears to include Facebook chief Mark Zuckerberg.

Online Checking Services Available

Several independent websites are offering ways for users to type in their email address or phone number to see if it is included in this or other databases of leaked details. (Source: bbc.co.uk)

Naturally using these checking services requires an element of trust. The most high-profile, haveibeenpwned.com, has not been associated with any shady behavior itself and is run by a security consultant, but it's still definitely an "at your own risk" tool.

What's Your Opinion?

Have you given your phone number to Facebook? Are you concerned by this leak? Would you feel safe using an online service to check if you're affected?

Rate this article: 
Average: 5 (8 votes)


topgum's picture

Never have I Ever given Facebook my phone number. I maintain three phone numbers. My REAL number that I only give to people I have seen. A magicJack (VOIP) number that I use when I fill out forms that might generate spam. And, second mobile phone number for emergencies most of the time this phone is off.
I'm pretty happy with this arrangement. What distresses me is the growing number of companies using two-factor authentication to steal your phone number information

JeffRL's picture

I have always steadfastly refused to use Facebook and every time somebody laughs at me for not using it, I have told them that if the personal em-mail account of the CIA director can be hacked, if NASA can be hacked, if the Department of Defense can be hacked, if banks can be hacked, and if major internet security firms can be hacked, then why wouldn't such a tempting target as Facebook escape? It was only a matter of time before someone succeeded and given Facebook being so slow to make an announcement, I would suggest that they have probably not revealed other instances.

The way the vast majority of people use Facebook is a complete abandonment of privacy and I continue to choose not to be that naive. I can guarantee without any fear of ever being proven wrong that I will never be on Facebook regardless of any changes or fixes they might claim to make.

The statement that "this only covers a few million users" would have made me laugh except I've already heard people say "it's only 500 million users" out of however many billion users there are (ignoring for now the fake and duplicate accounts that pad that number).

Like I said in the subject line, I won't say "I told you so" but I don't really need to, do I?