Have I Been Pwned Adds Search for Leaked Facebook Data
Over the past weekend, data from 533,313,128 Facebook users was published on the dark web. This dump includes phone numbers, names, Facebook IDs, email addresses, location information, gender, date of birth, workplace, and other details that may have been present in social network profiles. What set this leak apart was that it contained not only data from public profiles but also phone numbers linked to these accounts.
According to cybersecurity experts, back in 2019, attackers exploited a vulnerability related to the “Add Friend” feature, which allowed them to access phone numbers. This bug has long since been fixed. Facebook representatives confirmed the leak but stated that “these are old data that were previously reported in 2019.”
In a recent statement from the company, Facebook said the leak was not due to a vulnerability or hack, but rather standard data scraping. In other words, in 2019, scammers who “intentionally violated the platform’s policies” simply collected information from users’ public profiles by abusing the contact import feature.
The data breach aggregator Have I Been Pwned has already added this leak to its database. This means anyone can check if they were affected. Initially, searches were only possible by email address, but only 2.5 million out of the 533 million records included an email address. As a result, searching by email address often yielded no results.
Ultimately, the site’s founder, Troy Hunt, added the ability to search by phone number on HIBP, although this was a non-trivial task due to the variety of phone number formats. To search by phone number, you need to include the country and region code, as shown in the illustration below.