Last Saturday, cybersecurity professional “Alon Gal” alerted the public via Twitter that a Facebook data leak had made 533 million personal records available online “for free.” At over half a billion, that’s more than the combined populations of the United States (328 million), the UK (66 million), and Canada (37 million). Facebook told press the database was from a 2019 security hole that exposed user phone numbers and IDs, and that the issue was fixed at the time. This may or may not be true, because Facebook has now admitted this is one of two ginormous breaches that occurred in 2019. One exposed 419 million users, this one exposed 533 million.
If that date is accurate, then the data has been circulating for at least two years. It may also include decidedly more than simply phone numbers and Facebook IDs.
Alon Gal’s tweets said user phone numbers were exposed, but a closer look at screenshots shows it other information including names, birth dates, email addresses, locations, gender, relationship status, Facebook IDs, and phone numbers. Since the data also included user bios, it also occasionally revealed job, school, or workplace information.
Even if that data is several years old, some of it doesn’t change regularly, if at all. Some security pros have noted and detailed on social media that the leak contains at least some current data. Anyone can download the cache of information.
The risks are bigger than you may think
Even if a substantial number of the compromised accounts were fake, the leak still puts an almost inconceivable number of people at risk. This kind of leak can enable identity theft, as well as phishing attacks for ransomware, or one-click malware to steal logins and passwords. It also puts everyone at risk for doxxing.
Women on Facebook are particularly at risk now for stalking, harassment, abuse, and worse.For instance, Pew estimates that 7 in 10 U.S. adults (69%, or 226 million) use Facebook. If half are female, and we know one in four women experience domestic violence — that’s a little over 56 million American women in worse risk if they’re in the database. There’s also substantial risk for people who don’t want their gender revealed, like people in transgender populations.
We can expect Facebook to downplay the effects of the leak, but there are simple steps you can and should take to make sure your data is secure.
Here’s what you can do
Go to haveibeenpwned.com. It is a safe place to check and see if you are in the database. Enter your email address to see if your email is in the Facebook dump. This won’t tell you what other info is exposed, but you will know you’re in the exposed data set. Enter your phone number as well. You’ll want to check both in case your data is included, but incomplete.
If your email is in the breach, first go change your Facebook password and enable two-factor authentication. Visit other accounts that use the same email address as your login, and change the passwords there too. Turn on extra security steps if they are available. Do the same for accounts that use your phone number as a login.
Once your accounts are secured, be vigilant about not clicking unknown links, look out for phishing emails (and texts or calls), familiarize yourself with the warning signs of identity theft. Turn off open messaging if you may be at risk for harassment.
This is an unprecedented exposure of user accounts so what happens to Facebook — and to us — in the aftermath remains to be seen.