Facebook Breach
The personal details of more than 553 million Facebook users have been published on a website for hackers, according to multiple reports over the weekend.
[…]
In a statement, Facebook said the data was from a breach of its servers that had occurred in 2019 and it had since plugged the security hole that allowed it to take place.
While the information appears to be old, the details in the shared database include phone numbers, Facebook IDs, names, locations, birthdates and email addresses, all of which could be used in social engineering attacks or hacking attempts.
None of those is easy for users to change.
If you have a Facebook account, now is the time to be on alert for scammy phone calls from people who will try and social engineer their way into your credit card numbers and bank accounts. There is already a scam where they call and claim to be the IRS and need “immediate payment to avoid criminal prosecution”. I’m sure they’ll come up with even more dreadful ways to abuse this treasure trove of data.
Previously:
Update (2021-04-15): Elizabeth Culliford (via Hacker News):
Facebook Inc did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database, and does not currently have plans to do so, a company spokesman said on Wednesday.
Lily Hay Newman (via Hacker News):
De Ceukelaire and other researchers had already alerted Facebook to similar issues. In 2012, Facebook made changes that resulted in the site's “Download Your Information” tool leaking phone numbers and email addresses that users had not supplied themselves through the contact import feature. A researcher disclosed the issue to Facebook in 2013; in 2018, the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland investigated the finding.
[…]
That incident differs from the more recent Facebook controversy, in which attackers were able to "scrape” Facebook by enumerating batches of possible phone numbers from more than 100 countries, submitting them to the contact import tool, and manipulating it to return the names, Facebook IDs, and other data users had posted on their profiles. Still, the lapse spoke to the potential for the contact import tool to access sensitive data and the need to look carefully for bugs and inadvertent behavior in the feature.