Make sure to add us or contact us for the latest news

What Really Caused Facebook’s 500M-User Data Leak?

WIRED – SINCE SATURDAY, A massive trove of Facebook data has circulated publicly, splashing information from roughly 533 million Facebook users across the internet. The data includes things like profile names, Facebook ID numbers, email addresses, and phone numbers. It’s all the kind of information that may already have been leaked or scraped from some other source, but it’s yet another resource that links all that data together—and ties it to each victim—presenting tidy profiles to scammers, phishers, and spammers on a silver platter.

Facebook’s initial response was simply that the data was previously reported on in 2019 and that the company patched the underlying vulnerability in August of that year. Old news. But a closer look at where, exactly, this data comes from produces a much murkier picture. In fact, the data, which first appeared on the criminal dark web in 2019, came from a breach that Facebook did not disclose in any significant detail at the time and only fully acknowledged Tuesday evening in a blog post attributed to product management director Mike Clark.

One source of the confusion was that Facebook has had any number of breaches and exposures from which this data could have originated. Was it the 540 million records—including Facebook IDs, comments, likes, and reaction data—exposed by a third party and disclosed by the security firm UpGuard in April 2019? Or was it the 419 million Facebook user records, including hundreds of millions of phone numbers, names, and Facebook IDs, scraped from the social network by bad actors before a 2018 Facebook policy change, that were exposed publicly and reported by TechCrunch in September 2019? Did it have something to do with the Cambridge Analytica third-party data sharing scandal of 2018? Or was this somehow related to the massive 2018 Facebook data breach that compromised access tokens and virtually all personal data from about 30 million users?

In fact, the answer appears to be none of the above. As Facebook eventually explained in background comments to WIRED and in its Tuesday blog, the recently public trove of 533 million records is an entirely different data set that attackers created by abusing a flaw in a Facebook address book contacts import feature. Facebook says it patched the vulnerability in August 2019, but it’s unclear how many times the bug was exploited before then. The information from more than 500 million Facebook users in more than 106 countries contains Facebook IDs, phone numbers, and other information about early Facebook users like Mark Zuckerburg and US secretary of Transportation Pete Buttigieg, as well as the European Union commissioner for data protection, Didier Reynders. Other victims include 61 people who list the “Federal Trade Commission” and 651 people who list “Attorney General” in their details on Facebook.

You can check whether your phone number or email address were exposed in the leak by checking the breach tracking site HaveIBeenPwned. For the service, founder Troy Hunt reconciled and ingested two different versions of the data set that have been floating around.

“When there’s a vacuum of information from the organization that’s implicated, everyone speculates, and there’s confusion,” Hunt says.

The closest Facebook came to acknowledging the source of this breach previously was a comment in a fall 2019 news article. That September, Forbes reported on a related vulnerability in Instagram’s mechanism to import contacts. The Instagram bug exposed users’ names, phone numbers, Instagram handles, and account ID numbers. At the time, Facebook told the researcher who disclosed the flaw that the Facebook security team was “already aware of the issue due to an internal finding.” A spokesperson told Forbes at the time, “We have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue.” Forbes noted in the September 2019 story that there was no evidence the vulnerability had been exploited, but also no evidence that it had not been.

In its blog post today, Facebook links to a September 2019 article from CNET as evidence that the company publicly acknowledged the 2019 data exposure. But the CNET story refers to findings from a researcher who also contacted WIRED in May 2019 about a trove of Facebook data, including names and phone numbers. The leak the researcher had learned about was the same one TechCrunch reported on in September 2019. And according to the September 2019 CNET story, it is the same one CNET was describing. Facebook told TechCrunch at the time, “This data set is old and appears to have information obtained before we made changes last year [2018] to remove people’s ability to find others using their phone numbers.” Those changes were aimed at reducing the risk that Facebook’s search and account-recovery tools could be exploited for mass scraping.

Data sets circulating in criminal forums are often mashed together, adapted, recombined, and sold off in different chunks, which can account for variations in their exact size and scope. But based on Facebook’s comment in 2019 that the data TechCrunch reported on was from mid-2018 or earlier, it seems not to be the currently circulating data set. The two troves also have different attributes and numbers of users impacted in each region. Facebook declined to comment for the September 2019 CNET story.

If all of this feels exhausting to sort through, it’s because Facebook went days without giving a substantive answer and has left open some degree of confusion.

“At what point did Facebook say, ‘We had a bug in our system, and we added a fix, and therefore users might be affected’?” says former Federal Trade Commission chief technologist Ashkan Soltani. “I don’t remember ever seeing Facebook say that. And they’re kind of stuck now, because they apparently didn’t do any disclosure or notification.”

Before its blog acknowledging the breach, Facebook pointed to the Forbes story as evidence that it publicly acknowledged the 2019 Facebook contact importer breach. But the Forbes story is about a similar yet seemingly unrelated finding in Instagram versus main Facebook, which is where the 533-million-user leak comes from. And Facebook admits that it did not notify users that their data had been compromised individually or through an official company security bulletin.

The Irish Data Protection Commission said in a statement on Tuesday that it “received no proactive communication from Facebook” regarding the breach.

“Previous data sets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website, which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone look-up functionality,” according to the timeline the commission put together. “Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR. The newly published data set seems to comprise the original 2018 (pre GDPR) data set and combined with additional records, which may be from a later period.”

Facebook says it did not notify users about the 2019 contact importer exploitation precisely because there are so many troves of semipublic user data—taken from Facebook itself and other companies—out in the world. Additionally, attackers needed to supply phone numbers and manipulate the feature to spit out the corresponding name and other data associated with it for the exploit to work, which Facebook argues means that it did not expose the phone numbers itself. “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Clark wrote Tuesday. The company aims to draw a distinction between exploiting a weakness in a legitimate feature for mass scraping and finding a flaw in its systems to grab data from its backend. Still, the former is a vulnerability exploitation.

We’re here to help you navigate the Dark Web and whether you have been exposed. Reach out today for us to help you discover if you are on the Dark Web.

Dark Web ID’s Top Threats This Week


United States – The New York Foundling

Exploit: Unsecured Database

The New York Foundling: Children’s Charity

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.662= Severe

The New York Foundling, a venerable children’s charity, has had a significant data exposure. Researchers discovered an unsecured database contained more than 2,000 CSV and TXT files, each with hundreds or thousands of entries related to patients’ medical records, children’s legal guardians, case workers, doctors, and other child welfare specialists.

cybersecurity news represented by agauge showing severe risk

Individual Risk : 1.707 = Severe

At least 13,000 entries on medical procedures including vaccines, diagnostic tests, patient IDs, referral details, chart notes with descriptions and patient IDs. Another 7,000 entries for patients are in the trove, including: patient names and birthdates, parent/guardian names and phone numbers and insurance or agency information. A TXT file containing SSNs and what appears to be IDs, but without names or other identifying information is in the mix. Employee information is also included with staff names, ID numbers and other details.

Customers Impacted: Unknown

How It Could Affect Your Business: Making simple, avoidable blunders like this is a tragedy. Not only have many families had data exposed, but this charity hospital will also be paying huge HIPAA fines.

IntegraMSP to the Rescue: Make sure that everyone on the IT team is up to date on today’s threats and ready for tomorrow’s with the tips and tricks in “The Security Awareness Champion’s Guide“. GET THIS FREE BOOK>>

United States – Facebook

Exploit: Hacking

Facebook: Social Media Company

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.627 = Severe

A treasure trove of Facebook user data landed in a hacking forum over the weekend. Hackers dropped a slew of PII on Facebook users including phone numbers and some contact information of hundreds of millions of users for free online. A Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 1.627 = Severe

This fresh dump of exposed data includes various PII for over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK and 6 million on users in India. Exposed data includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios and email addresses. This information can be used to mount spear phishing and brand impersonation schemes.

Customers Impacted: 533 million

How it Could Affect Your  Business Cybercriminals will love this windfall. Data like this lives forever on the dark web, providing ammunition for future cyberattacks and fraud.

IntegraMSP to the Rescue: Dark Web ID alerts businesses to credential compromise fast, giving them the edge to fix vulnerabilities before the bad guys even know they’re there. LET US SHOW YOU>>

United States – University of Maryland Baltimore (UMB)

Exploit: Ransomware

University of Maryland Baltimore (UMB): Institution of Higher Learning

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.412 = Severe

The Clop ransomware gang had a banner week. UMB is one of at least 6 US colleges that they’ve hit successfully in the past week after gaining access to systems at data transfer and processing behemoth Accellion in late 2020. Here’s the full list of impacted colleges. At UMB, the gang snatched an assortment of student and staff data including federal tax documents, requests for tuition remission paperwork, applications for the Board of Nursing, passports, ID data and tax summary documents.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 2.309 = Severe

The saff data featured lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit enrollment and adjustment requests. In the student data batch, the gang scored photos, dates of birth, home addresses, passport numbers, immigration status, names of individuals and Social Security numbers.

Customers Impacted: Unknown

How it Could Affect Your Business: This is a textbook illustration of what happens when one of your business partners, suppliers or service providers has a data breach – cybercriminals get a le up on breaking into your systems too.

IntegraMSP to the Rescue: Mitigate the risk of doing business in today’s interconnected world with the expert advice in the ebook “Breaking Up with Third-Party and Supply Chain Risk“. DOWNLOAD IT>>

United States – 200 Networks LLC

Exploit: Unsecured Database

200 Networks LLC: Call Center Operator

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.412 = Severe

A wide-open database belonging to 200 Networks was discovered by security researchers just leaking information freely. The data included logs for at least 1.48 million robocalls The dataset was exposed for almost 24 hours and the database kept growing in real-time as business continued adding thousands of fresh calls and records to the mix every hour. The exposed record contained only swatches of data on the callers but included extensive inside information for the company including technical data.

Individual Impact: No sensitive personal or financial information was announced as impacted in this incident, but the investigation is ongoing.

Customers Impacted: 1.48 million

How it Could Affect Your Business: Failing to protect the secrets of your success is problematic for any business. This information will likely make its way to the dark web quickly.

IntegraMSP to the Rescue: Dark web danger is growing for businesses as millions of records landing in dark web markets create new vulnerabilities. PROTECT YOUR BUSINESS>>

1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.


Scroll to Top