Another leak with approximately 533 million Facebook users was published online and harvested by criminals in 2019 using a disclosed vulnerability.
But, can we consider this leak something new? No!
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information of 533m users across all countries.
The leaked data includes full names, Facebook IDs, mobile numbers, locations, email addresses, gender, occupation, city, country, marital status broken, account creation date, and other profile details down by country. In addition, over 32 million records belonging to users in the U.S., 11 million users in the U.K., six million users in India, and 2 million in Portugal, among others.
In detail, the data includes user details from 106 countries. Additionally, the data seems to have been obtained by exploiting a vulnerability in 2019 that enabled automated scripts to scrape Facebook users’ public profiles and associated private phone numbers en masse. The flaw has since been fixed by Facebook.
Figure 1: Facebook users’ data leaked in April 2019.
A compilation was also published in December 2020 in the Italian language – and because of this, we cannot consider this data something new now.
Figure 2: Facebook leak in the Italian language – December 2020.
In this new leak (April 2021), the data appears to have been normalized by criminals as we can see in the Portuguese leak below. As observed in Figure 3, the number of lines is the same – 2277361, containing the same users, including their data seen in the past.
Figure 3: Data leak 2019 vs 2021 – The same users, compromised data, just another thread.
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” said Liz Bourgeois, Facebook’s director of strategic response communications, in a Saturday tweet.
2.277.361 Facebook users were compromised in this data breach. From the total, 25.324 emails in the Portuguese dataset were also leaked, with the DOMAIN TOP 50 used by the Portuguese users listed below.
10646 hotmail.com
9336 gmail.com
1235 sapo.pt
819 live.com.pt
304 yahoo.com
175 msn.com
171 iol.pt
157 outlook.pt
148 netcabo.pt
114 remax.pt
108 outlook.com
84 live.com
74 yahoo.com.br
51 clix.pt
38 mail.ru
38 icloud.com
34 portugalmail.pt
30 hotmail.co.uk
29 hotmail.fr
25 kwportugal.pt
24 mail.telepac.pt
22 yahoo.co.uk
22 netmadeira.com
19 me.com
18 century21.pt
15 netvisao.pt
12 portugalmail.com
12 iadportugal.pt
11 ymail.com
11 yahoo.fr
11 mail.com
10 googlemail.com
10 decisoesesolucoes.com
10 adv.oa.pt
9 hotmail.es
9 aeiou.pt
9 abv.bg
8 vodafone.pt
8 net.sapo.pt
8 mac.com
7 mail.pt
7 era.pt
6 zonmail.pt
6 yahoo.es
6 ua.pt
6 hotmail.com.br
6 entreportas.pt
5 yahoo.in
5 live.fr
5 hotmail.de
Old data or not, the fact that the data appears to have been obtained by scraping Facebook profiles further complicates the company’s equation with privacy. Facebook users are now their data available online without their consent.
Even though this dump appears to have sold in criminal communities at least since last year, several Telegram bot appeared on the scene earlier this January allowed users to look up a phone number and receive the corresponding user’s Facebook ID.
Figure 4: Telegram bot allowing to lookup a phone number (source).
The data has been also spread on several hacking groups since December 2020 (Telegram, Signal, WhatsApp, etc), an indicator that data is now in the tentacles of criminals’ gangues and ready to be used in massive attacks.
Figure 5: Facebook data published on several hacking groups online for free (Telegram groups, Signal, WhatsApp, etc).
In sum, criminals have the opportunity of using the leaked data to perform malicious activities such as social engineering schemas, marketing scams, and other cybercrime. With a large volume of valid phone numbers, smishing attacks can be used to send fake data that seems legitimate to victims.
Share phishing or malware suspicions/ongoing campaigns with us via the form available here, or by submitting it to the 0xSI_f33d – a feed that compiles fraudulent campaigns in Portugal.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.