TR-62 - Leak of Facebook Data from 533 Million Users

Overview

On Saturday 3rd April 2021, a leak of Facebook records (533 million users) became publicly accessible on a leak-market forum. The leak contains information such as mobile phone numbers, Facebook ID, first names, last names, location and additional information such as date of birth or work place. There are 188201 entries for Luxembourg. Facebook mentioned that the vulnerability used to extract the information was reported and fixed in 2019.

Risks

Such leaks can be useful to many criminals or threat actors in order to conduct various attacks or fraud, such as phishing, vishing or social-engineering. Vishing is a technique using voice or SMS services to conduct phishing attacks. Phones are also used in various services for password recovery and this could be used to gather additional information from the existing data leak.

Recommendations

  • Be careful with any suspicious SMS messages or voice calls. Don’t take any action, such as revealing personal information or manual authentication requests in such a call
  • Don’t link professional mobile phone with personal accounts
  • If you are not expecting any specific calls, discarding the call is usually the best option
  • If your phone was associated with an anonymous account, change your phone number
  • If you want to setup two-factor authentication, the recommended order is from hard token then soft token and phone number as a last resort

Potential records in the leak

Name Position Notes
Phone number 1 (including International code)
Facebook ID 2  
First Name 3  
Last Name 4  
Sex 5 male,female
City? 6  
Province 7  
Marital Status 8  
Workplace 9  
Creation date 10  
Email 11  
DoB 12  

Depending of the original profile of the users, some of the fields might not present. Phone number, Facebook ID, First Name and Last Name are always present.

Facebook statement about the leak

Facebook released a statement and explained that the malicious actors obtained this data not through hacking their systems but by scraping it from their platform. Facebook believe the data was scraped by malicious actors abusing the contact importer feature. They change the contact importer feature to mitigate the issue in 2019.

References

Classification of this document

  • TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version - 6th April 2021
  • Version 1.1 - TLP:WHITE - Facebook statement added - 7th April 2021