Skip to content

Illustration by Security Management

Headaches from 2019 Facebook Data Breach Continue

In 2019, security researchers discovered personal information on more than half a billion Facebook users for sale on the Dark Web. You are forgiven if you do not remember the incident—there have been many data breaches and cybersecurity incidents in the months since.

The breach is back in the news because over the weekend, Business Insider reported that Hudson Rock Chief Technology Officer Alon Gal discovered that even the low bar of having to pay a few dollars for a trove of personal data on Facebook users no longer exists.

Initially, once verified, the information sells for a relatively high price. The Washington Post reports Gal as saying the leaked database generated tens of thousands of dollars. But the price declined as the data aged. Earlier in 2021, in a last attempt to wring money out of the breach, someone built a bot that for a low fee provided the phone number of any of the 533 million Facebook users impacted by the breach. Now the entire database has been posted online and is freely available, according to Business Insider.

The data matches Facebook user IDs with names, locations, birthdates, phone numbers, email addresses, and, in some cases, biographical information. The 2019 data leak was not the result of a hack, but rather the exploitation of a Facebook server that was not password protected and available online. In a statement over the weekend, Facebook spokesperson Liz Bourgeois confirmed that the information is from the 2019 leak, and that the vulnerability was fixed in 2019. Facebook had not issued any other statements as of Security Management's press time.

Though the information is old and does not include passwords, Cyberscoop reports the data being circulated freely is still concerning.

“Hackers can use phone numbers in the leak, for instance, to run social engineering scams such as SIM-swapping, in which they trick mobile carriers to transfer someone’s phone number to their own device in order to carry out fraud, such as gaining access to someone’s bank account, or resetting their email and social media accounts’ credentials," Cyberscoop wrote. "Thieves can also leverage the leak by cross-referencing data with other pieces of information contained in other stolen datasets to build a more complete profile of targets.”