Personal Data of 533 Million Facebook Users Posted on Low-Tier Hacker Forum

A dataset containing personal information for approximately 533 million Facebook users — including phone numbers, Facebook IDs, full names, locations, biographical details, and in some cases email addresses — has been posted for free on a low-tier hacking forum, security researcher Alon Gal reported.

The data, which covers users across 106 countries, had previously been offered for sale via private channels and through a Telegram bot. Researchers say the underlying records were scraped between June 2017 and September 2019 through a now-patched contact-import vulnerability in Facebook's mobile sync feature, which allowed an attacker to enumerate which phone numbers were associated with which accounts.

Facebook initially declined to comment, then characterized the data as "old" and not the result of a hack. The company said it does not plan to notify affected users, prompting criticism from privacy regulators in Europe.

"Whether the data is old or new, the harm is the same: hundreds of millions of people now have a permanent, searchable record tying their phone number to their identity, location, and social graph," said Lukasz Olejnik, an independent privacy researcher and consultant.

The Irish Data Protection Commission opened an inquiry under the GDPR, ultimately resulting in a 265 million euro fine against Meta in November 2022. The data continues to circulate freely, fueling SIM-swap attacks, smishing campaigns, and targeted social-engineering against high-value users.