Facebook users’ leak – just another thread … the same data observed in 2019.

Another leak with approximately 533 million Facebook users was published online and harvested by criminals in 2019 using a disclosed vulnerability.

But, can we consider this leak something new?  No! 


In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information of 533m users across all countries.


The leaked data includes full names, Facebook IDs, mobile numbers, locations, email addresses, gender, occupation, city, country, marital status broken, account creation date, and other profile details down by country. In addition, over 32 million records belonging to users in the U.S., 11 million users in the U.K., six million users in India,  and 2 million in Portugal, among others.

In detail, the data includes user details from 106 countries. Additionally, the data seems to have been obtained by exploiting a vulnerability in 2019 that enabled automated scripts to scrape Facebook users’ public profiles and associated private phone numbers en masse. The flaw has since been fixed by Facebook.

Figure 1: Facebook users’ data leaked in April 2019.


A compilation was also published in December 2020 in the Italian language – and because of this, we cannot consider this data something new now.

Figure 2: Facebook leak in the Italian language – December 2020.


In this new leak (April 2021), the data appears to have been normalized by criminals as we can see in the Portuguese leak below. As observed in Figure 3, the number of lines is the same – 2277361, containing the same users, including their data seen in the past.

Figure 3: Data leak 2019 vs 2021 – The same users, compromised data, just another thread.


“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” said Liz Bourgeois, Facebook’s director of strategic response communications, in a Saturday tweet.


2.277.361 Facebook users were compromised in this data breach.  From the total, 25.324 emails in the Portuguese dataset were also leaked, with the DOMAIN TOP 50 used by the Portuguese users listed below.

10646 hotmail.com
 9336 gmail.com
 1235 sapo.pt
  819 live.com.pt
  304 yahoo.com
  175 msn.com
  171 iol.pt
  157 outlook.pt
  148 netcabo.pt
  114 remax.pt
  108 outlook.com
   84 live.com
   74 yahoo.com.br
   51 clix.pt
   38 mail.ru
   38 icloud.com
   34 portugalmail.pt
   30 hotmail.co.uk
   29 hotmail.fr
   25 kwportugal.pt
   24 mail.telepac.pt
   22 yahoo.co.uk
   22 netmadeira.com
   19 me.com
   18 century21.pt
   15 netvisao.pt
   12 portugalmail.com
   12 iadportugal.pt
   11 ymail.com
   11 yahoo.fr
   11 mail.com
   10 googlemail.com
   10 decisoesesolucoes.com
   10 adv.oa.pt
    9 hotmail.es
    9 aeiou.pt
    9 abv.bg
    8 vodafone.pt
    8 net.sapo.pt
    8 mac.com
    7 mail.pt
    7 era.pt
    6 zonmail.pt
    6 yahoo.es
    6 ua.pt
    6 hotmail.com.br
    6 entreportas.pt
    5 yahoo.in
    5 live.fr
    5 hotmail.de


Old data or not, the fact that the data appears to have been obtained by scraping Facebook profiles further complicates the company’s equation with privacy. Facebook users are now their data available online without their consent.

Even though this dump appears to have sold in criminal communities at least since last year, several Telegram bot appeared on the scene earlier this January allowed users to look up a phone number and receive the corresponding user’s Facebook ID.

Figure 4: Telegram bot allowing to lookup a phone number (source).


The data has been also spread on several hacking groups since December 2020 (Telegram, Signal, WhatsApp, etc), an indicator that data is now in the tentacles of criminals’ gangues and ready to be used in massive attacks.

Figure 5: Facebook data published on several hacking groups online for free (Telegram groups, Signal, WhatsApp, etc).


In sum, criminals have the opportunity of using the leaked data to perform malicious activities such as social engineering schemas, marketing scams, and other cybercrime. With a large volume of valid phone numbers, smishing attacks can be used to send fake data that seems legitimate to victims.

Share phishing or malware suspicions/ongoing campaigns with us via the form available here, or by submitting it to the 0xSI_f33d – a feed that compiles fraudulent campaigns in Portugal.