Facebook

The mobile phone numbers and other personal information for approximately 533 million Facebook users worldwide has been leaked on a popular hacker forum for free.

The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members. What made this leak stand out was that it contained member information that can be scraped from public profiles and private mobile numbers associated with the accounts.

The initial sale of Facebook data in June 2020
The initial sale of Facebook data in June 2020
Source: BleepingComputer

The sold data included 533,313,128 Facebook users, with information such as a member's mobile number, Facebook ID, name, gender, location, relationship status, occupation, date of birth, and email addresses.

From samples of the Facebook data seen by BleepingComputer, almost every user record contains a mobile phone number, a Facebook ID, a name, and the member's gender.

Below is a small sample of USA records showing the redacted mobile numbers starting with New York's 917 mobile area code.

Sample of leaked USA Facebook members with mobile numbers
Sample of leaked USA Facebook members with mobile numbers
Source: BleepingComputer

According to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, it is believed that threat actors exploited in 2019 a now-patched vulnerability in Facebook's "Add Friend" feature that allowed them to gain access to member's phone numbers. 

It is unknown if this alleged vulnerability allowed the threat actor to retrieve all of the information in the leaked data or just the phone number, which was then combined with information scraped from public profiles.

After the initial sale of the data, which is believed to be for $30,000, another threat actor created a private Telegram bot that allowed other threat actors to pay to search through the Facebook data. 

Facebook data leak released for free

Today, this Facebook data leak has been released for free on the same hacker forum for eight site 'credits,' a form of currency on the hacker forum, equal to approximately $2.19.

While data breaches are initially sold in private sales for a high price, it is common for them to be sold for lower and lower prices until they are eventually released for free as a way of earning reputation within the hacker community.

"As is the case every time, people began to sell for cheaper and cheaper until it leaked for free," Gal told BleepingComputer in a conversation.

Data leak shared for free on Hacker Forum
Data leak shared for free on Hacker Forum
Source: BleepingComputer

Included in the data leak are the phone numbers for three of Facebook's founders - Mark Zuckerberg, Chris Hughes, and Dustin Moskovitz, which are the 4th, 5th, and 6th members first registered on Facebook.

Facebook Founders in data leak
Facebook Founders in data leak

In response to our queries regarding the data leak, Facebook told BleepingComputer that this data is the same data as was harvested in 2019.

"This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019," a Facebook spokeperson told BleepingComputer.

While the data may be from 2019, it is common for phone numbers and email addresses to remain the same over a period of many years, making this valuable to threat actors.

The top 20 geographic locations where members were exposed, as described by the threat actor, are listed below. These locations are likely what was entered by the Facebook member in their profile.

 A full list of locations and associated member counts can be found at the end of the article.

Location Number of users
Egypt 44,823,547
Tunisia 39,526,412
Italy 35,677,323
USA 32,315,282
Saudi Arabia 28,804,686
France 19,848,559
Turkey 19,638,821
Morocco 18,939,198
Colombia 17,957,908
Iraq 17,116,398
Africa 14,323,766
Mexico 13,330,561
Malaysia 11,675,894
United Kingdom 11,522,328
Algeria 11,505,898
Spain 10,894,206
Russia 9,996,405
Sudan 9,464,772
Nigeria 9,000,131
Peru 8,075,317

Data can be used to conduct attacks

This release has been met with enthusiasm by other threat actors on the hacker forum as they can use it to conduct attacks on the people listed in the data leak. 

For example, threat actors can use email addresses for phishing attacks and mobile numbers for smishing (mobile text phishing) attacks. 

Threat actors can also use mobile numbers and leaked info to perform SIM swap attacks to steal multi-factor authentication codes sent via SMS.

It is advised that all Facebook users be wary of strange emails or texts requesting further information or telling you to click on enclosed links.

A full list of geographic locations, as shared by the threat actor, and the amount of exposed users per location can be seen below. On mobile, you can scroll the table left and right to see any cut off data.

Rank Profile Location Exposed Users   Rank Profile Location Exposed Users
1 Egypt 44,823,547   55 Bahrain 1,450,124
2 Tunisia 39,526,412   56 Ireland 1,449,919
3 Italy 35,677,323   57 Finland 1,381,569
4 USA 32,315,282   58 Czech Republic 1,375,988
5 Saudi Arabia 28,804,686   59 Austria 1,249,388
6 France 19,848,559   60 Sweden 1,092,140
7 Turkey 19,638,821   61 Ghana 1,027,969
8 Morocco 18,939,198   62 Philippine 879,699
9 Colombia 17,957,908   63 Mauritius 848,558
10 Iraq 17,116,398   64 Taiwan 734,807
11 Africa 14,323,766   65 China 670,334
12 Mexico 13,330,561   66 Croatia 659,115
13 Malaysia 11,675,894   67 Denmark 639,841
14 United Kingdom 11,522,328   68 Greece 617,722
15 Algeria 11,505,898   69 Afghanistan 558,393
16 Spain 10,894,206   70 Albania 506,602
17 Russia 9,996,405   71 Norway 475,809
18 Sudan 9,464,772   72 Bulgaria 432,473
19 Nigeria 9,000,131   73 Japan 428,625
20 Peru 8,075,317   74 Macao 414,228
21 Brazil 8,064,916   75 Namibia 409,356
22 Australia 7,320,478   76 Jamaica 385,890
23 United Arab Emirates 6,978,927   77 Hungary 377,045
24 Syria 6,939,528   78 Ecuador 310,259
25 Chile 6,889,083   79 Iran 301,723
26 India 6,162,450   80 Botswana 240,606
27 Germany 6,054,423   81 Slovenia 229,039
28 Netherlands 5,430,388   82 Lithuania 220,160
29 Oman 5,048,532   83 Brunei 213,795
30 Yemen 4,617,359   84 Luxembourg 188,201
31 Kuwait 4,468,134   85 Serbia 162,898
32 Libya 4,204,514   86 Cyprus 152,321
33 Israel 3,956,428   87 Puerto Rico 130,586
34 Bangladesh 3,816,339   88 Indonesia 130,331
35 Canada 3,494,385   89 South Korea 121,744
36 Palestine 3,367,576   90 Malta 115,366
37 Kazakhstan 3,214,990   91 Azerbaijan 99,472
38 Belgium 3,183,584   92 Georgia 95,193
39 Jordan 3,105,988   93 Estonia 87,533
40 Singapore 3,073,009   94 Maldives 86,337
41 Bolivia 2,959,209   95 Angola 50,889
42 Hong Kong 2,937,841   96 Moldova 46,237
43 Poland 2,669,381   97 Iceland 31,343
44 Qatar 2,526,694   98 Turkmenistan 16,279
45 Argentina 2,347,553   99 Honduras 16,142
46 Portugal 2,277,361   100 Burundi 15,709
47 Cameroon 1,997,658   101 Haiti 15,407
48 Lebanon 1,829,661   102 Djibouti 14,327
49 Guatemala 1,645,068   103 Ethiopia 12,753
50 Tunisia 1,595,346   104 Burkina Faso 6,413
51 Switzerland 1,592,039   105 Fiji 5,364
52 Uruguay 1,509,317   106 El Salvador 4,779
53 Panama 1,502,310   107 Cambodia 2,838
54 Costa Rica 1,464,002        

 

Update 4/3/21 3:00 PM EST: Added leaked Facebook founders and that date of birth may be included in leaked data
Update 4/3/21 8:54 PM EST: Added statement from Facebook.

Update 4/4/21 11:12 AM EST: Added the full list of geographic users and amount of exposed users.

Related Articles:

Infosys McCamish says LockBit stole data of 6 million people

Dairy giant Agropur says data breach exposed customer info

Los Angeles Unified School District investigates data theft claims

PandaBuy pays ransom to hacker only to get extorted again

Australian mining company discloses breach after BianLian leaks data