Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Facebook Privacy

Information On Half Billion Facebook Users Leaked Online (businessinsider.com) 48

Slashdot reader quonset quotes Business Insider: A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online.

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.

Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users' phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook's password reset feature, which can be used to partially reveal a user's phone number.

A Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019.

This discussion has been archived. No new comments can be posted.

Information On Half Billion Facebook Users Leaked Online

Comments Filter:
  • by beepsky ( 6008348 ) on Saturday April 03, 2021 @04:37PM (#61233728)
    Where can I download this database? I want to see if my family and friends are in it (I don't use facebook tho)
    • Re:Sauce? (Score:4, Funny)

      by smittyoneeach ( 243267 ) * on Saturday April 03, 2021 @04:41PM (#61233742) Homepage Journal
      In Soviet Russia, FaceBook uses YOU!
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Where can I download this database?
      I want to see if my family and friends are in it

      Really? I was going to check my enemies first.

    • What was that Subject supposed to mean? What was supposed to be the relationship to your question?

      However, the interesting aspect of your question is a meta-question: "How can you query a database for personal information about you without exposing yourself to the query system?" If you weren't in the database before you asked...

      The virtual profiles of my question are the constructs Facebook (and the google) use for people and identities that are referred to by "members" (AKA users), even though they are not

    • by slazzy ( 864185 )
      The ShinyHunters have it.
    • I expect hibp [haveibeenpwned.com] will have it soon enough.

      • by nadass ( 3963991 )
        Their status update on the subject:

        In April 2021, a large data set of 533 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook's subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.

        Emphasis mine; only 2.5 million accounts included an email address.

    • by dr3mag ( 7753906 )
      Really serious, how is possible Facebook loose this sensitive data?
  • Then, how was it exploited in 2021?

    Or, was the data scrapped prior to the patch on 2019?

    And, will FB be liable for providing identity theft protection for everyone compromised?

    • And, will FB be liable for providing identity theft protection for everyone compromised?

      Identity theft protection should be the default, not something special which must be "provided" by a social media company.

      Financial institutions should not allow someone to establish credit in your name with just your SSN, DOB, and your mother's maiden name.

      Identity theft is much less of a problem in countries that put the cost and burden of proof onto the institution granting credit rather than the victim.

      • And, will FB be liable for providing identity theft protection for everyone compromised?

        Identity theft protection should be the default, not something special which must be "provided" by a social media company.

        Financial institutions should not allow someone to establish credit in your name with just your SSN, DOB, and your mother's maiden name.

        Identity theft is much less of a problem in countries that put the cost and burden of proof onto the institution granting credit rather than the victim.

        With the Federal Governments recent interest in BookFace, perhaps a nice Class Action lawsuit would be in order. I don't even care if I get any money, Just bury the Fuckers.

    • And, will FB be liable for providing identity theft protection for everyone compromised?

      Facebook will use the "You fucked up - you trusted us!" defense.

    • Because 2029 hasn't happened yet. There's still 8 years left to exploit it.
  • The Internet is the greatest frontier since Europeans discovered the western hemisphere. As such, one should expect the same levels of opportunity and lawlessness.
  • I mean like LOL funny, not just "hah, funny" funny.
  • It is better to have personal relationships.

    Often it is useful to have privacy. Something unusual can happen that makes privacy necessary. For example, someone may object to a manner in which you expressed yourself.

    Facebook is a way of making money.
  • I was waiting to see when the next Facebook scandal was going to drop. Seriously, why does anyone even have accounts at these kinds of places anyway? Oh, and fuck the Zuck.
    • Re: (Score:3, Insightful)

      by dromgodis ( 4533247 )

      You are aware that by having a user name with Zuck in it, and by writing fiery comments about him and Facebook, you demonstrate that he owns a part of your mind. And it is unilateral - he doesn't even know you exist.

      Which one of you is winning?

  • Where is it? (Score:4, Interesting)

    by Stoutlimb ( 143245 ) on Saturday April 03, 2021 @07:05PM (#61234100)

    Extra points to anyone who posts a link to an easily searchable form of the database. It's important for people to know if they have been compromised.

    • Re:Where is it? (Score:4, Insightful)

      by green1 ( 322787 ) on Saturday April 03, 2021 @08:15PM (#61234262)

      If you have a facebook account, you've been compromised. You may, or may not, have been exposed in a data breach, but you can be certain that you've been compromised.
      What's with this idea that it's bad if random people get access to your info, but it's just fine if hundreds of random companies get access to it?

    • From Troy Hunt's twitter, a subset of it is on GitHub, portions may be included in Have I Been Pwnd
    • by slazzy ( 864185 )
      Here you go: https://haveibeenpwned.com/ [haveibeenpwned.com] If Troy hasn't added it all yet I'm sure he will in week or so.
      • by nadass ( 3963991 )
        From HIBP:

        In April 2021, a large data set of 533 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook's subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.

      • Yes, just enter your full name, social #, address, email, passwords, phone, and credit card information, and we'll tell you if it's on the "Dark Web!"
  • Who laughed at the part of the article where Along Gal says, presumably with a straight face, "Individuals signing up to a reputable company like Facebook..." and some other stuff?
  • by Required Snark ( 1702878 ) on Sunday April 04, 2021 @12:54AM (#61234710)
    Facebook has a market cap of over $800 billion. To make them take this seriously, I suggest a fine of $80 per account. For the roughly half billion accounts exposed, that would come to $40 billion, or about 5% of their market capitalization.

    If this was the penalty I doubt they would ever have a large scale data breach again. It would also all put the other incompetent bloated internet giants on notice they must take security seriously or they will suffer significant pain.

    Since none of the high up mucky-mucks will ever go to jail over any of their screw ups, the only way to make them toe the mark is to hit them in their pocket books. Nothing else matters to them.

  • It seems to just be the basic profile information scrape in case you haven't enabled any privacy settings whatsoever -- which is clearly a large proportion of worldwide subscribers. Funny enough, I always forget which DOB and status I have set on my FB profile -- I don't usually supply my real DOB to anything online (except for legal documents [i.e. passport/visa/bank application]).
  • ...NOT to give FB or similar your real birthday, address, or even name; and use a throwaway email and an otherwise inert phone #.
  • I never sent them that copy of my real name, driving licence and photo - they insisted on as 'validation'
  • Several years ago I started getting spam sent to facebook@mydomain. The only database I ever put that address into was Facebook's. So either the database has been stolen before, or someone "guessed" the address (which isn't necessary that hard, since if I make an account at yourcompany, I told you my address is yourcompany@mydomain, so that might inspire you to "frame" Facebook).

  • https://bit.ly/3wmK4MR [bit.ly] Make sure to remove the brackets
  • My ph# is also in yellow pages et al. My BD? Even my SN? We should not care to keep these secret as these should not be critical for anything.

    Granted that some may want to hide their birth dates but...should they even if you equal digital presents to physcal presents, where signs of age are recoognizable...

    I do want a transition to me-is-me (digitally signed somehow, block chain verifiable or whatever, finger print/iris scan/dna scan) and not me-is-my-SN or me-is-my-BD! And then FB and others will not need

  • People are upset that everyone can read the name and phone number they deliberately made public to everyone in the world on a public internet site? :/

Fundamentally, there may be no basis for anything.

Working...