More Than 267M Facebook Users Exposed In Newly Discovered Breach


A newly discovered breach in Facebook security has exposed no fewer than a total of 267,140,436 users. Making matters worse, the breach, discovered via a partnership between Comparitech and security researcher Bob Diachenko, seems to be linked to a criminal organization. The hackers in question appear to have originated out of Vietnam. Most of those affected are in the United States.

The breach included sensitive information including users' unique Facebook ID, phone number, and a full name. Each entry also included a timestamp, further indicating the validity of the information taken.

Where was the data discovered and what's the risk?

The presumption that a criminal organization was involved in the attack stems from how it was discovered. Initially, bad actors posted the data on December 12 on a hacker forum and first indexed back on December 4. That was served up as a downloadable database.


After Mr. Diachenko discovered the database and server, featuring a landing page with a login and welcome note, an abuse report was sent to the ISP in charge of the server's IP address. The researcher reported the problem on December 14. The ISP made the database unavailable as of December 19. Exposure lasted just short of two weeks.

It isn't immediately obvious how the attackers came to be in possession of the data in question. There are several possibilities, including scraping from publically accessible Facebook pages and profiles. Conversely, the data may have been taken as far back as prior to 2018 policy changes at Facebook. The API previously granted access to user information such as phone numbers.

Finally, Mr. Diachenko indicates that the information could be from a hole in Facebook security that is still present, despite API changes. Facebook's recent track record with user privacy and protection has not been stellar, widening the number of possibilities significantly.


Because of the sensitive nature of the information taken, the biggest risk is phishing attacks via SMS.

The unique Facebook ID, in particular, makes it easier for a bad actor to discover more information for perpetrating those types of attacks. In effect, that means it makes it easier for malicious entities to try and scam users out of other personal information. The end result of that can and often is a monetary loss or identity theft.

Bad actors may also try to use the data for spam-based attacks with the types of information that were taken.


If you still use Facebook, you need to protect yourself

For those that choose to continue using Facebook, preventing the probable means by which the data was scraped or stolen isn't impossible. Users can minimize scraped data in their account privacy settings — found by navigating to Settings and then clicking "Privacy."

The big changes lead off from users making adjustments to who can view the data publicly. The researchers say that each field in the Privacy settings should, for starters, be set to either "Only Me" or "Friends."

Finally, the setting that questions whether users want search engines to be able to link to a profile needs to be changed. Users need to set that to "No" to prevent basic scraping from internet search results such as on Google. It may also be a good idea to adjust similar settings in other apps where those can be found. That will at least make it more difficult for users to be exposed to a breach when similar tactics to those possibly used in the latest Facebook breach are implemented.