Another Facebook Data Breach? Here’s What You Need to Know!


  • In 2019, Cyber criminals exploited a vulnerability associated with Facebook’s import contact feature, which is used to find a user’s friend(s), based on their phone number.
  • As a result, they were able to collect information on 533 million Facebook users, across 106 countries, and expose that data to the public.
  • While the vulnerability was subsequently patched by Facebook, the exposed information is now making its way through hacking forums and other sites. According to CNN, the unprotected information includes users’ phone numbers, Facebook IDs, full names, locations, birth dates, bios and, in some cases, email addresses.

Facebook is a social media platform, which many of us either love or hate. On one side of the spectrum, Facebook allows users to maintain contact with friends, family, and loved ones across many generations. As the principal social media platform in the world (with more than 2.6 billion monthly users) users are almost guaranteed to find long lost friends on Facebook. However, the social networking service has been challenged by many privacy complaints and data breaches. Additionally, it has been considered a major source of misinformation and disinformation over the years. Whether you love Facebook or not, this week’s post focuses on the latest Facebook data breach, and what you need to do to stay one step ahead of cyber criminals.

What Happened?

On April 3rd, 2021, a user in a low-level hacking forum published personal information of hundreds of millions of Facebook users for the low low price of $0.00. This data included the phone numbers, Facebook IDs, full names, locations, birth dates, bios and, in some cases, email addresses of exposed Facebook users (roughly 2.5 million email addresses out of 533 million total records). Security professionals reviewed samples of the leaked data and confirmed that several records were in fact associated with well-known Facebook users. Testing involved confirming that the phone numbers listed were tied to the appropriate Facebook ID, and that the email addresses listed were the correct email addresses of the user(s) in question.

Business Insider published an article detailing the data breach on April 3rd and April 6th, 2021. Facebook ultimately responded to the incident, but underplayed the significance of the data breach, stating “We have teams dedicated to addressing these kinds of issues and understand the impact they can have on the people who use our services. It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.” Except for the quoted response on the Facebook Newsroom page, the Network’s management neglected to publicly inform users of its platform vis-à-vis the issue. In fact, many of you who are reading this article probably learned about the incident via this post or an article from another site, and not from Facebook.

What Is the big Issue?

Have you recently received a sudden influx of calls from “Scam Likely” or insert your favorite spoofed number? Well, the Facebook data breach may partially be to blame. You see, these types of data breaches are extremely valuable to cyber criminals who often use acquired personal information to impersonate or scam a victim. Theoretically, a malicious cyber actor could leverage an automated robo-dialing bot to call all of the numbers listed in the data breach. The leaked data could also be used in phishing campaigns, where an attacker could pretend to be from Facebook support, in an attempt to get a user to divulge sensitive information. The exposed data could also be used for SMS, phone, and email spamming purposes.

What Can I Do?

First, you should check to see if your information was included in this data breach. World renowned security expert, Troy Hunt, the figurehead behind Have I Been Pwned, has updated his site. Users can now enter their phone number or email address to see if it was included in the Facebook data breach, or any data breach for that matter. User entered information is not saved and is only compared against data breach records already listed in the Have I Been Pwned data store. The Have I Been Pwned privacy policy can be reviewed here. If your data was compromised, your best bet is to reset your password, using a strong password, preferably of at least 12-15 characters, which include regular characters, numbers, and special characters (i.e.! @#). Additionally, you should enable two-factor authentication, ensure that you are using unique passwords for your various accounts, and enroll your mobile device in your service provider’s spam call filtering service.

Standard social media best practices, such as: limiting what you share, avoid sharing your location or “checking in” – unless necessary, and updating your privacy settings, go a long way as well.

Have any questions about the latest Facebook data breach or social media best practices? Contact us and we will be glad to assist you with your security needs! Do not forget to click here to subscribe to our weekly newsletter for more information security related tips and tricks.

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.