The mobile phone numbers and other personal information for approximately 533 million Facebook users worldwide has been leaked on a popular hacker forum for free.
The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members. What made this leak stand out was that it contained member information that can be scraped from public profiles and private mobile numbers associated with the accounts.
The sold data included 533,313,128 Facebook users, with information such as a member's mobile number, Facebook ID, name, gender, location, relationship status, occupation, date of birth, and email addresses.
From samples of the Facebook data seen by BleepingComputer, almost every user record contains a mobile phone number, a Facebook ID, a name, and the member's gender.
Below is a small sample of USA records showing the redacted mobile numbers starting with New York's 917 mobile area code.
According to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, it is believed that threat actors exploited in 2019 a now-patched vulnerability in Facebook's "Add Friend" feature that allowed them to gain access to member's phone numbers.
It is unknown if this alleged vulnerability allowed the threat actor to retrieve all of the information in the leaked data or just the phone number, which was then combined with information scraped from public profiles.
After the initial sale of the data, which is believed to be for $30,000, another threat actor created a private Telegram bot that allowed other threat actors to pay to search through the Facebook data.
Facebook data leak released for free
Today, this Facebook data leak has been released for free on the same hacker forum for eight site 'credits,' a form of currency on the hacker forum, equal to approximately $2.19.
While data breaches are initially sold in private sales for a high price, it is common for them to be sold for lower and lower prices until they are eventually released for free as a way of earning reputation within the hacker community.
"As is the case every time, people began to sell for cheaper and cheaper until it leaked for free," Gal told BleepingComputer in a conversation.
Included in the data leak are the phone numbers for three of Facebook's founders - Mark Zuckerberg, Chris Hughes, and Dustin Moskovitz, which are the 4th, 5th, and 6th members first registered on Facebook.
In response to our queries regarding the data leak, Facebook told BleepingComputer that this data is the same data as was harvested in 2019.
"This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019," a Facebook spokeperson told BleepingComputer.
While the data may be from 2019, it is common for phone numbers and email addresses to remain the same over a period of many years, making this valuable to threat actors.
The top 20 geographic locations where members were exposed, as described by the threat actor, are listed below. These locations are likely what was entered by the Facebook member in their profile.
A full list of locations and associated member counts can be found at the end of the article.
Location | Number of users |
Egypt | 44,823,547 |
Tunisia | 39,526,412 |
Italy | 35,677,323 |
USA | 32,315,282 |
Saudi Arabia | 28,804,686 |
France | 19,848,559 |
Turkey | 19,638,821 |
Morocco | 18,939,198 |
Colombia | 17,957,908 |
Iraq | 17,116,398 |
Africa | 14,323,766 |
Mexico | 13,330,561 |
Malaysia | 11,675,894 |
United Kingdom | 11,522,328 |
Algeria | 11,505,898 |
Spain | 10,894,206 |
Russia | 9,996,405 |
Sudan | 9,464,772 |
Nigeria | 9,000,131 |
Peru | 8,075,317 |
Data can be used to conduct attacks
This release has been met with enthusiasm by other threat actors on the hacker forum as they can use it to conduct attacks on the people listed in the data leak.
For example, threat actors can use email addresses for phishing attacks and mobile numbers for smishing (mobile text phishing) attacks.
Threat actors can also use mobile numbers and leaked info to perform SIM swap attacks to steal multi-factor authentication codes sent via SMS.
It is advised that all Facebook users be wary of strange emails or texts requesting further information or telling you to click on enclosed links.
A full list of geographic locations, as shared by the threat actor, and the amount of exposed users per location can be seen below. On mobile, you can scroll the table left and right to see any cut off data.
Rank | Profile Location | Exposed Users | Rank | Profile Location | Exposed Users | |
1 | Egypt | 44,823,547 | 55 | Bahrain | 1,450,124 | |
2 | Tunisia | 39,526,412 | 56 | Ireland | 1,449,919 | |
3 | Italy | 35,677,323 | 57 | Finland | 1,381,569 | |
4 | USA | 32,315,282 | 58 | Czech Republic | 1,375,988 | |
5 | Saudi Arabia | 28,804,686 | 59 | Austria | 1,249,388 | |
6 | France | 19,848,559 | 60 | Sweden | 1,092,140 | |
7 | Turkey | 19,638,821 | 61 | Ghana | 1,027,969 | |
8 | Morocco | 18,939,198 | 62 | Philippine | 879,699 | |
9 | Colombia | 17,957,908 | 63 | Mauritius | 848,558 | |
10 | Iraq | 17,116,398 | 64 | Taiwan | 734,807 | |
11 | Africa | 14,323,766 | 65 | China | 670,334 | |
12 | Mexico | 13,330,561 | 66 | Croatia | 659,115 | |
13 | Malaysia | 11,675,894 | 67 | Denmark | 639,841 | |
14 | United Kingdom | 11,522,328 | 68 | Greece | 617,722 | |
15 | Algeria | 11,505,898 | 69 | Afghanistan | 558,393 | |
16 | Spain | 10,894,206 | 70 | Albania | 506,602 | |
17 | Russia | 9,996,405 | 71 | Norway | 475,809 | |
18 | Sudan | 9,464,772 | 72 | Bulgaria | 432,473 | |
19 | Nigeria | 9,000,131 | 73 | Japan | 428,625 | |
20 | Peru | 8,075,317 | 74 | Macao | 414,228 | |
21 | Brazil | 8,064,916 | 75 | Namibia | 409,356 | |
22 | Australia | 7,320,478 | 76 | Jamaica | 385,890 | |
23 | United Arab Emirates | 6,978,927 | 77 | Hungary | 377,045 | |
24 | Syria | 6,939,528 | 78 | Ecuador | 310,259 | |
25 | Chile | 6,889,083 | 79 | Iran | 301,723 | |
26 | India | 6,162,450 | 80 | Botswana | 240,606 | |
27 | Germany | 6,054,423 | 81 | Slovenia | 229,039 | |
28 | Netherlands | 5,430,388 | 82 | Lithuania | 220,160 | |
29 | Oman | 5,048,532 | 83 | Brunei | 213,795 | |
30 | Yemen | 4,617,359 | 84 | Luxembourg | 188,201 | |
31 | Kuwait | 4,468,134 | 85 | Serbia | 162,898 | |
32 | Libya | 4,204,514 | 86 | Cyprus | 152,321 | |
33 | Israel | 3,956,428 | 87 | Puerto Rico | 130,586 | |
34 | Bangladesh | 3,816,339 | 88 | Indonesia | 130,331 | |
35 | Canada | 3,494,385 | 89 | South Korea | 121,744 | |
36 | Palestine | 3,367,576 | 90 | Malta | 115,366 | |
37 | Kazakhstan | 3,214,990 | 91 | Azerbaijan | 99,472 | |
38 | Belgium | 3,183,584 | 92 | Georgia | 95,193 | |
39 | Jordan | 3,105,988 | 93 | Estonia | 87,533 | |
40 | Singapore | 3,073,009 | 94 | Maldives | 86,337 | |
41 | Bolivia | 2,959,209 | 95 | Angola | 50,889 | |
42 | Hong Kong | 2,937,841 | 96 | Moldova | 46,237 | |
43 | Poland | 2,669,381 | 97 | Iceland | 31,343 | |
44 | Qatar | 2,526,694 | 98 | Turkmenistan | 16,279 | |
45 | Argentina | 2,347,553 | 99 | Honduras | 16,142 | |
46 | Portugal | 2,277,361 | 100 | Burundi | 15,709 | |
47 | Cameroon | 1,997,658 | 101 | Haiti | 15,407 | |
48 | Lebanon | 1,829,661 | 102 | Djibouti | 14,327 | |
49 | Guatemala | 1,645,068 | 103 | Ethiopia | 12,753 | |
50 | Tunisia | 1,595,346 | 104 | Burkina Faso | 6,413 | |
51 | Switzerland | 1,592,039 | 105 | Fiji | 5,364 | |
52 | Uruguay | 1,509,317 | 106 | El Salvador | 4,779 | |
53 | Panama | 1,502,310 | 107 | Cambodia | 2,838 | |
54 | Costa Rica | 1,464,002 |
Update 4/3/21 3:00 PM EST: Added leaked Facebook founders and that date of birth may be included in leaked data
Update 4/3/21 8:54 PM EST: Added statement from Facebook.
Update 4/4/21 11:12 AM EST: Added the full list of geographic users and amount of exposed users.
Comments
Abdul89177 - 3 years ago
Okay if this thing goes on, someone who collected it will get more than $1 billion if all of those is sold
rod009 - 3 years ago
The top 20 Geographic location contains 6 African countries then Africa itself. What does it mean ?
Egypt, Tunisia, Morocco, Algeria, Sudan, Nigeria and then " Africa " ???!!
Thanks for the article :-)
Bachsau - 3 years ago
I think it is whatever the user put in the country field of his profile.
Lawrence Abrams - 3 years ago
Good question. This is how the threat actor broke up the locations. Likely caused by what Bachsau stated.
michalog - 3 years ago
how we can find this free data ?
JeffoBezzo - 3 years ago
Is there any chance to find out the name of the mysterious hacker forum?
mildaevilda - 3 years ago
It's on RaidForum.
randomdude911 - 1 year ago
Isn't RaidForums took down by FBI?
darv_iss - 3 years ago
Mine already hacked, the hacker is trying to takeover my account, now it's been locked by Facebook, what should I do to be able to access it again?
fassal - 7 months ago
ou je peux telecharger c'est donner !