Due to a software vulnerability, a database containing 533 million Facebook users’ personal information is now circulating on the open Internet. Why then does Facebook not notify who was affected?
The company did not give a straight answer to this, except to emphasize that the leaked data is the result of an already blocked vulnerability. “These are old data previously reported in 2019. We found and corrected the issue in August 2019,” the social network said in a statement.
As a result, you must use a third-party website to find out if you were cheated. Or you can try to download the database yourself. The 20 GB archive has been circulating freely for days now via a torrent on the internet, which puts the larger users at greater risk.
According to Facebook, the vulnerability in question was about the company’s contact importer tool, which Forbes documented in September 2019. A security researcher has discovered that you can use the contact importer tool to enter a random phone number and match it to a Facebook user.
Facebook points out that the social network itself never provided the phone numbers. It is also noted that once a phone number was associated with a Facebook ID, only a limited amount of already public information about the Facebook user’s account could be traced.
Yet it is clear that someone has abused the vulnerability to learn the identity behind phone numbers around the world. The composite database containing the 533 million users – of which 32 million are based in the US – arranges the data by phone number, Facebook ID, full name and location. In some cases, it also includes marital status, educational information, email address, and employer.
Is my phone number leaked?
If you want to find out if your data is leaking without downloading the 20 GB database, you can try two ways. First go to Haveibeenpwned.com, a trusted website that tracks data breaches. It has received a copy of the Facebook database. Simply enter your email address and the website will tell you if the address was in the database, indicating that your Facebook account has been targeted.
The downside to Haveibeenpwned.com is that the 20 GB database contains only 2,529,621 unique email addresses. According to Troy Hunt, who runs Haveibeenpwned.com, this is approximately 0.5% for all user records in the archive. Instead, the database indexes users primarily by phone numbers, which you cannot enter on Hunt’s website.
In response, Hunt added users’ ability to enter their phone number to see if it was affected.
Meanwhile, a user named David Johnstone in Australia has also created a website where you can enter your phone number to determine if your information is contained in the leaked database. (US users can click here.)
The only problem is that Johnstone’s website, a news aggregator called TheNewsEachDay.com, was only launched a month ago, so it’s still working to build trust. ‘I knew there was interest in a tool that could check if someone’s phone number was in the data, so I decided to make it myself because it was easy and I had nothing else to do at the last minute. day of this long weekend, ”he told us by e-mail.
Recommended by our editors
However, typing in your phone number on a random website is not the best idea either. What if the same information you record? In response, Johnstone says its website does not secretly record anyone’s phone numbers. (He runs a business called Cycling Analytics, a web application for cyclists to analyze their riding.)
“I do not store the number or anything like that (but that’s what a person storing the numbers would say),” he said. ‘I do not know how much is used to collect thousands of phone numbers if you need this tool to have access to millions of phone numbers with names and other personal information, but it is difficult or impossible to prove that my code does nothing sly. ”
Another website called HaveIBeenFacebooked.com has also appeared, allowing you to enter your phone number to check if your account is affected. But again, you should trust that the site does not secretly report your phone number.
Be vigilant if your personal information is entangled. By knowing your phone number and name, an internet criminal can come up with ways to try to deceive you.