Leaked information includes phone number, Facebook ID, full name, location, past locations, birthdate, email address, relationship status, and bio.
According to a security analyst, sensitive personal information for over half a billion Facebook users was leaked on a well-trafficked hacking forum earlier today — a potential risk to millions of cryptocurrency traders and hodlers who now may be vulnerable to sim swapping and other identity-based attacks.
The trove of information was first discovered by Alon Gal, CTO of security firm Hudson Rock, who posted on Twitter about the leak earlier today:
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
According to Gal, the leak is related to a security vulnerability first discovered in 2019. In January 2021, it became known that hackers were able to use the information to access user's phone numbers; the leak has now expanded to include “Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.”
According to Gal, the information could now enable hackers and scammers to deploy a variety of social manipulation exploits and other nefarioustactics:
“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.”
Cryptocurrency users are at particular risk of such attacks. Earlier this year, a victim of a sim-swapping attack sued mobile phone company T-Mobile for $450,000, and in 2018 Kaspersky Labs found that hackers were able to steal 21,000 ETH, currently worth over $43 million, in social engineering attacks over a 12-month period.
The data breach is also orders of magnitude larger than the Ledger breach late last year. Shortly after over 270,000 users’ information was leaked online, users reported extortionist threats, and considered lawsuits against the hardware wallet company.