Yesterday, data of over 533 million Facebook users across the globe was leaked online by a threat actor.
According to Indian media reports, the data breach includes the personal information of 6 million users in India.
The hacked data comprises phone numbers, Facebook ID, full name, location, past location, birthdate, (sometimes) email address, account creation date, relationship status, and personal bios.
Security researchers have warned that the leaked data can be used to commit fraud by impersonating a person.
It is said that the data could be a couple of years old and could have been extracted using a bug (a bug in the 'Add Friend' feature on Facebook) that the social media giant had fixed back in 2019.
But threat actors continued to circulate the data until it was fully released practically for free yesterday.
All 533,000,000 Facebook records were just leaked for free.This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8April 3, 2021
- Google-backed Dunzo suffers data breach
- Narendra Modi's website's Twitter page gets hacked - it's John Wick again
Second breach of Indians' details in as many weeks
The worrying point from India's perspective is that details of over 6 million users from the country could be part of the leak.
This breach comes on the back of major hacking at MobiKwik digital wallet.
Though the company had controversially pooh-poohed the breach, online researchers said that the data of crores of users were available in the public domain.
In that 'largest KYC leak ever', the data dump was said to contain 350GB of MySQL dumps or 500 databases, 99 million email, phone, passwords, physical addresses, IP address, GPS location and device related data, as well as 40 million records of card numbers, expiry dates, card hashes (SHA256 encrypted).
Further, it also has 7.5TB of merchant KYC data pertaining to 3.5 million merchants.
This is how you check if your data has been compromised
As far as yesterday's leak at Facebook goes, there is a way to check whether your email was exposed in the breach or not.
There is a data breach notification service by name: 'Have I Been Pwned? (opens in new tab)'
The person running the site Troy Hunt (opens in new tab), a well-known and respected online security specialist, has added the leaked data to the site to help users determine if their Facebook data was exposed in the leak.
Users just need to input their email address, and the site will list out whether their data had been breached.
Users have to the key in their email address in the search field on the site. Once they click the 'pwned?' button, a list of all the data breaches the email was exposed to will be displayed.
This writer did try out the service with his email id. Mercifully, there was no breach through this FB leak. But as it happened, it also emerged that some of the writer's details may have been compromised through a leak from an url shortening service longtime back.
Another general observation on this incident: I'm seeing *extensive* sharing of the data, both the entire corpus of countries and individual country files. Not just in hacking circles, but very broadly on social media too. This data is everywhere already.April 4, 2021
What if details of your phone number have been leaked?
Anyway, the biggest data detail to emerge from Facebook leak was phone numbers. Only 2.5 million out of the 533 million Facebook member records also included an email address.
So, if you search for your email address and 'Have I Been Pwned?' does not return a matching result, you could still be part of yesterday's leak.
But as of now, the site does not give details on possible data compromise using your phone number.
The site administrator has tweeted that he is looking into how users can input phone numbers to see if they were exposed in the Facebook leak.
He also asked whether the FB phone numbers should be searchable in his site. "I’m thinking through the pros and cons in terms of the value it adds to impacted people versus the risk presented if it’s used to help resolve numbers to identities."