At this point, there’s a good chance your Facebook data has been hacked, sold, leaked, or generally misused by third parties. Now, at least in the case of the latest troubling Facebook-related incident which made the news over the weekend, there’s a way to know for sure.
On Tuesday, Have I Been Pwned?, a “free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised,” announced it had added to its searchable database the 533 million Facebook users’ phone numbers that are being swapped around by hackers.
The site, run by data breach expert Troy Hunt, lets people input their phone numbers to check if they’re included in the scraped Facebook data set (which includes more than just phone numbers). If so, the site tells victims what was likely exposed, and what steps they can take to protect themselves.
“The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address,” explains Have I Been Pwned? “Most records contained names and genders with many also including dates of birth, location, relationship status, and employer.”
On Sunday, Facebook said in a statement to Mashable that this “is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”
The company also published a blog post on Tuesday, which explained that the user data in question was scraped off its platform. “Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this,” read the statement in part.
Of course, not all of the information included in this data set — which Bleeping Computer, information security, and tech news site, reports include “member’s mobile number, Facebook ID, name, gender, location, relationship status, occupation, date of birth, and email addresses — might be considered “public.”
If you do find that your Facebook data was scraped by bad actors, there’s unfortunately not a lot you can do at this point. As Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, noted Monday, you can’t really change things like birthdays and phone numbers often remain static for years.
Have I Been Pwned? suggests general security precautions people should take if they find their data in a breach, such as:
Step 1 Protect yourself using 1Password to generate and save strong passwords for each website.
Step 2 Enable 2 factor authentication and store the codes inside your 1Password account.
Step 3 Subscribe to notifications for any other breaches. Then just change that unique password.
Notably, Joe Tidy, a cybersecurity reporter with BBC News, reported on Monday that Facebook said the hacked information includes user data from two separate incidents, one in April 2019 and one in September 2019 (so after the August 2019 fix Facebook told us about). We reached out to Facebook to confirm whether or not the dataset now in the news — also highlighted earlier this month by Alon Gal, co-founder, and CTO of the self-described “cybercrime intelligence” firm Hudson Rock — includes user info from one or two separate incidents. We also asked Facebook to point us to where it notified affected users at the time. We received no immediate response.
Thankfully for users whose personal information is now being passed out free of charge by hackers, the website Have I Been Pwned? is a bit more responsive.