Should I be worried about the Facebook data leak?

Background

On Saturday, a database turned up on a hacking forum of 533 million Facebook users. In this database, personal information such as full names, locations, email addresses, phone numbers, dates of birth, marital status and gender. It appears that this data was scraped from Facebook in 2019 and the underlying vulnerability allowing this to happen had been patched in the same year.

Database

The database is broken up into 105 compressed files titled by country. The total size is 15.6GB compressed. For the purpose of this demonstration, I will be using data from the Irish database only.

So what exact information is contained in the Irish database?

  1. 1,449,921 Unique Records. Each record relates to 1 user ID on Facebook. Each of these records contains the first and last name of the Facebook user along with their phone number.
  2. 1,308,953 of these records are identified by sex as either male or female.
  3. 347,366 relationship statuses of individuals. These include: divorced/in a relationship/married/single/widowed.
  4. 9,229 e-mail addresses.
  5. 4,037 records contain the users’ date of birth.
  6. 462,099 records contain job titles.
  7. 731,943 records contain “lives in” location (the location that the user has publicly set as their current location).
  8. 680,066 records contain “from” location (the location that the user has set publicly that they are originally from).

What format is the data in?

The image below is populated with fake information to show how the data is presented in the database.

This can then be cleaned up to look like the following:

How to find out if your data is included?

To find out if your data is included in this data leak you can search using the website HaveIBeenPwned. You can search there by phone number. If your phone number is 0861234567, use the format 353861234567.

How do I prevent my data being leaked?

Most of the information in the leaked database was scraped from publicly available information on Facebook. The only exception to this was the users’ phone number. Always think about the information you post publicly online. Here are some steps that can help:

  1. Use a fake date of birth on social media sites and don’t post it publicly. People with bad intentions can use this information to break into your e-mail account.
  2. Facebook requires users to use their real name. Consider using the Irish version of your name to make it more difficult to attribute the account to your persona.
  3. Never post your email address publicly online. The combination of publicly available information is enough for a hacker to guess the security questions to gain access to your account.
  4. Lock down your Facebook profile, you can find steps here.
  5. This is overkill but you can protect your phone number by using a virtual phone number. This will mean that you can use this for online services and you won’t be contacted by scammers if they find out your real number. Use the virtual number to sign up to social media sites.

Conclusion

On the surface, the information does not seem that serious due to the fact no passwords and a low number of email addresses are contained. Looking further into it though, you can see how a person with malicious intent would use this data. The data can easily be used to identify specific job titles for phishing campaigns or provide an expansive list for scammers with over 1.4 million phone numbers. The amount of publicly shared information is also worrying and the ease that this data is currently being shared. This will for sure be used for malicious intent in the future.