Facebook data leak now under EU data regulator investigation

Ireland’s Data Protection Commission (DPC) is investigating a massive data leak concerning a database containing personal information belonging to more than 530 million Facebook users.

“Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality,” the DPC said.

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.”

The DPC also said that the recently leaked dataset seems to include information from additional Facebook user records “which may be from a later period.”

The data watchdog added that it had issues establishing communication channels with Facebook when it “over the weekend to establish the full facts” given that it received “no proactive communication from Facebook.”

When asked for more details about the leak, a Facebook spokesperson told BleepingComputer that “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”

However, Graham Doyle, DPC’s head of media and deputy commissioner, added that “following this weekend’s media reporting we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019.”

Data leak impacts 533 million Facebook users

The mobile phone numbers and other personal information of hundreds of millions of Facebook users worldwide were leaked on a popular hacker forum for free after it was sold in June 2020 for an estimated $30,000 and made searchable via a private Telegram bot.

The threat actors scraped the information from the public profiles of 533,313,128 Facebook users, including users’ mobile number, Facebook ID, name, gender, location, relationship status, occupation, date of birth, and email addresses.

The phone numbers of three of Facebook’s founders—Mark Zuckerberg, Chris Hughes, and Dustin Moskovitz—are also included in the data leak.

Samples of the Facebook data from the leak seen by BleepingComputer show that almost every user record in the database contains a mobile phone number, a Facebook ID, a name, and the member’s gender.

Facebook founders in data leak
Facebook founders in data leak

At the moment, it is believed that a now-patched vulnerability in Facebook’s ‘Add Friend’ feature was exploited in 2019 to gain access to and harvest Facebook members’ phone numbers.

This is highly sensitive data that has remained unchanged for most affected Facebook users, data that threat actors can use in email phishing attacks or smishing (mobile text phishing) attacks. 

Scammers can use use the leaked info (i.e., mobile phone numbers) in SIM swap attacks to steal their targets’ multi-factor authentication (MFA) codes sent via SMS.

You can use the Have I Been Pwned data breach notification service to check if your info was exposed in this massive Facebook data leak by entering your email or phone number in the search field.