While the information seems to be several years old, it’s another example of the enormous amount of information gathered by Facebook and other social media sites, and the boundaries to how secure that information is. The availability of the information set was first reported by Business Insider. According to that publication, it has information from 106 countries, including phone numbers, Facebook IDs, full names, locations, birthdates, and email addresses.
“The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India,” according to Insider. “It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.”
If that 533 million number might sound familiar to you, that’s because this information is apparently from the same dataset that people could pay for portions of using a Telegram bot, which Motherboard reported on in January. Now, though, it appears that those who want to get their hands on the data won’t have to pay anything at all.
Facebook has been fighting data security issues for years. In 2018, the social media giant damaged a possibility that allowed users to search for one another via phone number following discoveries that the political firm Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or consent.
In December 2019, a Ukrainian security researcher reported finding a database with the names, phone numbers, and unique user IDs of more than 267 million Facebook users—nearly all U.S.-based—on the open internet. It’s unclear if the current data dump is linked to this database. “This is old data that was previously reported on in 2019,” the Menlo Park, California-based company said in a statement. “We found and fixed this issue in August 2019.”
Troy Hunt, the creator of the Have I Been Pwned database, said on Saturday that “I haven’t seen anything yet to suggest this breach isn’t legit.” In the data, he found only about 2.5 million unique email addresses (which is still a lot!), but apparently, “the greatest impact here is the phone numbers.” Here’s what that might mean, in Hunt’s words: "But for spam based on using phone numbers alone, it's gold. Not just SMS, there are heaps of services that just require a phone number these days and now there are hundreds of millions of them conveniently categorized by country with nice mail merge fields like name and gender."