• Paul Isaacson

32 Million Facebook Users Accounts in the USA Exposed

Data breach notification service Have I Been Pwned can now be used to check if your personal information was exposed in a Facebook data leak that contains the phone numbers and information for over 500 million users.

On April 3rd 2021, a threat actor released the personal information for 533,313,128 Facebook users on a hacking forum, including mobile numbers, name, gender, location, relationship status, occupation, date of birth, and email addresses.


The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.


While a couple of years old, the leaked data could provide valuable information to cybercriminals who use people's personal information to impersonate them or scam them into handing over login credentials, according to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who first discovered the entire trough of leaked data online on Saturday.


This data was originally sold in private sales after being collected in 2019 using a bug in the 'Add Friend' feature on Facebook. Facebook had closed this vulnerability soon after it was discovered, but threat actors continued to circulate the data until it was finally released practically for free ($2.19) on April 3rd 2021.


Since then, Troy Hunt has added the leaked data to his Have I Been Pwned data breach notification service to help users determine if a Facebook member's data was exposed in the leak.

For those not familiar with Have I Been Pwned, it is an excellent resource that indexes data exposed in data breaches so that users can input their email address and list the data breaches that exposed their data.


To check if the Facebook leak included your email address, you can visit Have I Been Pwned and enter your email address in the search field. Once you click the 'pwned?' button, a list of all the data breaches the email was exposed will be displayed.


Mozilla Firefox has also updated their monitor solution which can also be used to check if your e-mail address has been compromised. Mozilla's tool uses information provided by the Have I Been Pwned tool.


For example, below, using an email address known to have been exposed in the most recent Facebook leak. As you can see, Have I Been Pwned reports that the email was found in the Facebook data released yesterday.

Hopefully your search will find that you're e-mail address has not been part of a data breach.

This is not the first time that a huge number of Facebook users' phone numbers have been found exposed online. The vulnerability that was uncovered in 2019 allowed millions of people's phone numbers to be scraped from Facebook's servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.


Facebook previously vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook's terms of service to target voters with political ads in the 2016 election.


Gal said that, from a security standpoint, there's not much Facebook can do to help users affected by the breach since their data is already out in the open — but he added that Facebook could notify users so they could remain vigilant for possible phishing schemes or fraud using their personal data.


If anyone is interested in knowing if their details were part of this breach they may submit a contact request on our website or give us a call and we'll gladly look it up since we obtained the USA List.