The personal details of more than 500 million Facebook users — including full names and phone numbers — wereearlier this week. Private data that was not listed in public profiles was also shared, including unique Facebook user ID numbers, user location information, job details, gender information and other details.
The leaked data was published on a public hacker forum and discovered by Alon Gal of Hudson Rock Security, who shared the news on Twitter. The hacked database appears to include nearly 533 million users across "all countries," including 32.3 million people in the U.S. and 11.5 million in the U.K. Gal also noted that an anonymous hacker created a Telegram bot that could — for a fee — search the database for specific phone numbers.
"This is old data that was previously reported on in 2019," a Facebook company spokesperson told CBS News. "We found and fixed this issue in August 2019."
That argument doesn't hold water, said ZDNet's Larry Dignan. "Phone numbers, Facebook IDs, full names and birth dates aren't likely to change often. That data is durable and has a long shelf life. It would be valuable for cybercrime whether it was 2019 or 2010."
Large data breaches from social networks also can have long-lasting implications. In 2012 and 2016, Russian cybercriminals hacked LinkedIn, the social network for professionals, and sold a trove of more than 100 million personal records. Although LinkedIn eventually patched the security vulnerability, the stolen database is still routinely used by criminals and hackers.
How to find out if your data was leaked
There are few, if any, legitimate methods of mining this Facebook data breach for your personal records. While the full data package is publicly available for download as 106 individual files to forum members, accessing and possessing stolen data is often considered a violation of the Computer Fraud and Abuse Act.
As for the Telegram bot created to sell access to individual records inside the Facebook leak, Dignan advises against using the site to search for your own records, as it is likely illegal to access and use. Instead, he suggests monitoring your email for phishing scams and signing up with a credit monitoring service.
You can also register and search for your personal information on a website maintained by the National Conference of State Legislatures that tracks data breaches.
HaveIBeenPwned is one of the best-known websites that tracks data breaches. Maintained by respected security researcher Troy Hunt, the site lets users legally search billions of records for email addresses, phone numbers and other personal information.
To mitigate future hacks, Dignan suggests changing passwords often and enabling two-factor authentication for email, social media sites and banking sites. Password wallets like LastPass and 1Password can help securely manage unique passwords and will also notify you if a password is weak, reused or compromised.
"In the long run, I think [everyone] needs to evaluate what data they share with companies and ponder the returns," Dignan advised. "Facebook often argues that in exchange for sharing personal details, you get better ad targeting and more relevant information. But I don't think that argument cuts it anymore."