Facebook

Data breach notification service Have I Been Pwned can now be used to check if your personal information was exposed in yesterday’s Facebook data leak that contains the phone numbers and information for over 500 million users.

Yesterday, a threat actor released the personal information for 533,313,128 Facebook users on a hacking forum, including mobile numbers, name, gender, location, relationship status, occupation, date of birth, and email addresses.

This data was originally sold in private sales after being collected in 2019 using a bug in the ‘Add Friend’ feature on Facebook. Facebook had closed this vulnerability soon after it was discovered, but threat actors continued to circulate the data until it was finally released practically for free ($2.19) yesterday. 

Since then, Troy Hunt has added the leaked data to his Have I Been Pwned data breach notification service to help users determine if a Facebook member’s data was exposed in the leak.

For those not familiar with Have I Been Pwned, it is an excellent resource that indexes data exposed in data breaches so that users can input their email address and list the data breaches that exposed their data.

To check if the Facebook leak included your email address, you can visit Have I Been Pwned and enter your email address in the search field. Once you click the ‘pwned?’ button, a list of all the data breaches the email was exposed will be displayed.

For example, below, I searched using an email address known to have been exposed in yesterday’s Facebook leak. As you can see, Have I Been Pwned reports that the email was found in the Facebook data released yesterday.

Have I Been Pwned showing exposed Facebook user
Have I Been Pwned showing exposed Facebook user

Unfortunately, the most common user identifiable field in yesterday’s Facebook leak is phone numbers. However, only 2.5 million out of the 533 million Facebook member records also included an email address.

Due to this, if you search for your email address and Have I Been Pwned does not return a matching result, you could still be part of yesterday’s leak.

Troy has tweeted that he is looking into how users can input phone numbers to see if they were exposed in the Facebook leak.

“That’s the email addresses loaded,” Hunt tweeted yesterday. “I’m still considering what to do with the phone numbers.”

As more information becomes available, BleepingComputer will update this article.