Massive data theft on Facebook: 533 million users’ personal data is filtered online
If you’re a Facebook user, beware: your mobile and email address may have been filtered online. It has happened with 533 million users whose personal data has been stolen and leaked for free on the internet.
The danger is enormous, as anyone can get that data and use it for example to impersonate those users. The theft affects users in 106 countries and among the leaked information are Facebook IDs, their mobiles, addresses, biographies and in some cases the email address.
Nearly 11 million Spanish users affected by theft
Facebook claims that the vulnerability that caused that massive data theft has already been fixed in August 2019 and spoke of “old data”, but still the amount of data leaked is huge and its validity remains a real threat to all affected.
Troy Hunt, a cybersecurity expert and known for managing the Have I Been Pwned site, noted that it has found 2.5 million email addresses in that data theft: although it is a small percentage relative to the magnitude of data theft, there are still many email addresses.
That information, as he explains, can be used for phishing attacks in which having the mail and the victim’s phone number is sufficient for cybercriminals.
As Alon Gal, head of the Hudson Rock cybersecurity company explained, nearly 11 million users in Spain (10,894,206 in particular) are part of that leak, while the most affected countries are Egypt (44.8 million), Tunisia (39.5 million), Italy (35.6 million) and the United States (32.3 million).
The proportion of emails in the case of Facebook users in Spain is equally small: as Xataka has known, of these almost 11 million records, some 75,500 have an email address associated with them.
The discovery has been going on for a few months: in January a Telegram bot appeared allowing us to enter a Facebook ID to return the phone number associated with that ID if a correspondence existed.
Where did they get that data and how?
The data was already released in June 2020: a member of a hacking forum put that data up for sale, but unlike that post, these days the data could be obtained for free and anyone could easily consult it because it was in plain text.
That data appears to come from a robbery that occurred in April 2019 and that researchers from the security company UpGuard discovered. The data was available on a public server that took months to patch.
The 146 GB file contained about 540 million records and was one of the largest of a worrying history of data theft on Facebook.
Just the previous month it had been discovered how Facebook stored passwords for hundreds of millions of accounts in plain text,and although only employees of the company had access to that file, its discovery was disturbing.
Changing passwords and enabling two-step authentication can avoid many future scares
Hunt has already included those email addresses in its database, which means it doesn’t stop by your website, put our email address in the browser and thus know if that address is part of data theft.
If so, the recommendation is to change the Facebook password and even the email account password—a good password manager helps simplify and secure that process—and add two-step authentication to those accounts (and other important services to us).
In this last tip there is an important consideration: if possible, no use SMS as a two-step authentication method; it’s much better to use Google Authenticator or Microsoft Authenticator apps for that purpose.