29 votes

533 million Facebook users' phone numbers and personal data have been leaked online

30 comments

  1. joplin
    Link
    And this is why I refuse to give my phone number to these companies. Won't let me sign up without one? OK, I won't sign up then. Asshats.

    And this is why I refuse to give my phone number to these companies. Won't let me sign up without one? OK, I won't sign up then. Asshats.

    13 votes
  2. MonkeyPants
    Link
    0.5 billion out of 2.8 billion active users means data on 20% of all facebook users were released. Facebook lets you create an account with either an email or a cell phone number. All of the...

    0.5 billion out of 2.8 billion active users means data on 20% of all facebook users were released.

    Facebook lets you create an account with either an email or a cell phone number.

    All of the accounts in the dump have a phone number associated with them. Only 1% of the released accounts also have an associated email address.

    I think whatever method the hackers used to obtain this data, only worked on those accounts authenticated with a phone number.

    12 votes
  3. [2]
    cmccabe
    Link

    The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.

    A Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019.

    6 votes
    1. MonkeyPants
      (edited )
      Link Parent
      It does not include birth dates, the only date is the date the user last accessed facebook. Edit: I was completely wrong, birth date is available, but only for a very few number of people.

      It does not include birth dates, the only date is the date the user last accessed facebook.

      Edit: I was completely wrong, birth date is available, but only for a very few number of people.

      1 vote
  4. [12]
    knocklessmonster
    Link
    I guess I can't earnestly weigh in untill I see a link to haveibeenpwned or something to specifically track my data, but the notion is terrifying. The relevant info to me, 32 million out of 330...

    I guess I can't earnestly weigh in untill I see a link to haveibeenpwned or something to specifically track my data, but the notion is terrifying. The relevant info to me, 32 million out of 330 million Americans, means 1/10 of us have potentially been compromised in this hack, which is a staggering proportion for a single country, and worse if we consider population density.

    5 votes
    1. [10]
      acdw
      Link Parent
      Have I Been Pwned has been updated with this breach.
      5 votes
      1. [3]
        MonkeyPants
        Link Parent
        I think Have I Been Pwned is primarily email focused, where as this breach was primarily related to cell phone numbers tied to peoples names.

        I think Have I Been Pwned is primarily email focused, where as this breach was primarily related to cell phone numbers tied to peoples names.

        5 votes
        1. [2]
          acdw
          Link Parent
          Ah, that makes sense. I wonder if HIBP will ever add a phone number field as well -- I'm guessing the breach reports are just big CSVs or something similarly searchable.

          Ah, that makes sense. I wonder if HIBP will ever add a phone number field as well -- I'm guessing the breach reports are just big CSVs or something similarly searchable.

          1. MonkeyPants
            Link Parent
            They just added the phone number.

            They just added the phone number.

            3 votes
      2. [6]
        kfwyre
        Link Parent
        It’s also checkable through Firefox Monitor as well. I know FM is basically just a rebranding of HIBP, but I mention it here because I’m a lot more comfortable telling friends and family to check...

        It’s also checkable through Firefox Monitor as well.

        I know FM is basically just a rebranding of HIBP, but I mention it here because I’m a lot more comfortable telling friends and family to check something with the “Firefox Monitor” branding over “Have I Been Pwned”. The latter sounds like the kind of site I would tell them to avoid giving personal information to.

        4 votes
        1. [4]
          MonkeyPants
          Link Parent
          Very few email addresses were exposed, this was primarily a breach of cell phone numbers tied to names.

          Very few email addresses were exposed, this was primarily a breach of cell phone numbers tied to names.

          1 vote
          1. [3]
            kfwyre
            Link Parent
            Does that mean someone checking Firefox Monitor/HIBP could still have been compromised but those sites would return a false negative?

            Does that mean someone checking Firefox Monitor/HIBP could still have been compromised but those sites would return a false negative?

            1. [2]
              whbboyd
              Link Parent
              That is correct. (To be clear: the email address they checked against would not have been compromised; but their account may still have been, if they registered for Facebook with a phone number....

              That is correct.

              (To be clear: the email address they checked against would not have been compromised; but their account may still have been, if they registered for Facebook with a phone number. Building a service similar to HIBP for phone numbers presents a surprising technical challenge: there aren't very many phone numbers, to the point that enumeration becomes a credible concern.)

              3 votes
              1. kfwyre
                Link Parent
                Good to know, thank you! I sent out the Firefox Monitor link to some family and friends that I know use Facebook and recommended they check to see if they were included. I didn’t realize it would...

                Good to know, thank you!

                I sent out the Firefox Monitor link to some family and friends that I know use Facebook and recommended they check to see if they were included. I didn’t realize it would likely produce a false negative. I’ll update them on that.

        2. acdw
          Link Parent
          I also did not know about Firefox Monitor, so thanks for the info!

          I also did not know about Firefox Monitor, so thanks for the info!

          1 vote
    2. MonkeyPants
      Link Parent
      Unless you specifically gave facebook your cell phone # you are fine. If you are feeling worried but also brave, you can PM me the first seven of your phone number e.g. 16506447*** and the first...

      Unless you specifically gave facebook your cell phone # you are fine.

      If you are feeling worried but also brave, you can PM me the first seven of your phone number e.g. 16506447*** and the first few characters of your name e.g. M. Z. or Ma (first) or Za (last) and I can let you know the matching phone numbers that were breached. Should be only 2-20 or so.

      @Deimos, hope this is OK.

      1 vote
  5. [4]
    PathOfTheProkopton
    Link
    I'm really glad that I deleted my facebook. Hopefully this reduces public trust in facebook even further. When I left it was such a toxic place, and it wasn't a way to keep in touch with old...

    I'm really glad that I deleted my facebook.

    Hopefully this reduces public trust in facebook even further.

    When I left it was such a toxic place, and it wasn't a way to keep in touch with old friends anymore.

    2 votes
    1. acdw
      Link Parent
      Me too, but I have been a little worried about what information they still have on me. I checked the last email I used with Facebook on haveibeenpwned though, and it showed it hadn't been. So......

      Me too, but I have been a little worried about what information they still have on me. I checked the last email I used with Facebook on haveibeenpwned though, and it showed it hadn't been. So... hopefully okay!

    2. [2]
      ImmobileVoyager
      Link Parent
      Did you ? What path did you take to ensure that Facebook, inc. actually deleted from their server each copy of every information they had on you, knowing that said informations come not only from...

      I deleted my facebook.

      Did you ? What path did you take to ensure that Facebook, inc. actually deleted from their server each copy of every information they had on you, knowing that said informations come not only from what you voluntarily provided but also from what others provided, often unwittingly, and mostly from the gigantic tracking apparatus that Fakebook has deployed on almost every website.

      1 vote
      1. PathOfTheProkopton
        Link Parent
        Didn't I? I think I communicated what I wanted pretty clearly. I don't see a need to go into what I shared or didn't share with others or Facebook. I also don't think I need a lecture on how big...

        Didn't I?

        I think I communicated what I wanted pretty clearly.

        I don't see a need to go into what I shared or didn't share with others or Facebook.

        I also don't think I need a lecture on how big tech is tracking everyone.

        6 votes
  6. [6]
    edoceo
    Link
    I looked in this datadump for myself and a few others. I didn't find a bunch that I expected to. In 10 active facebook users I know I only found 1 match.

    I looked in this datadump for myself and a few others. I didn't find a bunch that I expected to. In 10 active facebook users I know I only found 1 match.

    1 vote
    1. [2]
      MonkeyPants
      Link Parent
      It only includes those people who provided their phone number to facebook as a security mechanism.

      It only includes those people who provided their phone number to facebook as a security mechanism.

      3 votes
      1. balooga
        Link Parent
        Ah! Great security feature, that.

        Ah! Great security feature, that.

        2 votes
    2. [3]
      bilbodwyer
      Link Parent
      Where did you check the leak? Curious to see if I'm on there...

      Where did you check the leak? Curious to see if I'm on there...

      1 vote
      1. [2]
        edoceo
        Link Parent
        Here is a post where someone has linked to the files on ufile https://news.ycombinator.com/item?id=26684827

        Here is a post where someone has linked to the files on ufile

        https://news.ycombinator.com/item?id=26684827

        2 votes
        1. Micycle_the_Bichael
          Link Parent
          At least the OP now 404s, did not have time to try the skylinks in the comments.

          At least the OP now 404s, did not have time to try the skylinks in the comments.

  7. [3]
    Micycle_the_Bichael
    Link
    Ok so what is there to be done if your account was a part of the breach? What are good follow up actions? A friend's number was found as part of the FB breach and now is asking me for advice on...

    Ok so what is there to be done if your account was a part of the breach? What are good follow up actions? A friend's number was found as part of the FB breach and now is asking me for advice on "what should I do?" Based on what data was leaked, I'm not sure there is much actionable to do? Just like.. that data is out there now, sucks. Sorry.

    1 vote
    1. [2]
      cmccabe
      Link Parent
      Not specific to this FB breach, but identify theft prevention measures are always good practice, and maybe your friend should particularly consider freezing their credit. Credit freeze is #1 on...

      Not specific to this FB breach, but identify theft prevention measures are always good practice, and maybe your friend should particularly consider freezing their credit.

      Credit freeze is #1 on this list, for example: https://www.nerdwallet.com/article/finance/how-to-prevent-identity-theft

      3 votes
      1. MonkeyPants
        Link Parent
        Also never give any information to anyone who calls you. Call them back. Plus don't click on anything in emails purported to be from your bank or the govt. Navigate directly to their website to...

        Also never give any information to anyone who calls you. Call them back.

        Plus don't click on anything in emails purported to be from your bank or the govt. Navigate directly to their website to authenticate.

  8. AreaDev
    Link
    No large company is immune to data breaches. Small site, 1000 personal data can go away, big millions. The reasons are different, hacking, for example. Everything that is done by people by them...

    No large company is immune to data breaches. Small site, 1000 personal data can go away, big millions. The reasons are different, hacking, for example. Everything that is done by people by them and can be broken. Another conversation is when this happens through the fault of the company itself. The usual reason is money. There is a constant lack of money and everyone wants more and more of it. Companies justify this desire by the presence of a huge number of servers, infrastructure. Huge expenses.

    But in any case, the larger the company, the more customers it has, the more responsibility should be. Unfortunately, Facebook is a bit dismissive of this. Although ... they say ... put any other in his place and the situation will be similar. People are to blame. They want more money.