Late last week the news broke regarding a massive PII leak, impacting close to 553,000,000 Facebook users across 106 countries...including 32 million Americans (one of whom is Facebook CEO and creator, Mark Zuckerberg).
The PII includes things like:
- Full names
- Phone numbers
- Email addresses
While news of the breach is relatively recent (breaking on April 3rd), it looks like the compromised data might have been obtained via a vulnerability Facebook patched way back in 2019. It's just...flown under the radar since then and didn't get public attention until someone posted the database in a low-level hacking forum.
The "discovery" if you want to call it that, was made by Alon Gal, the CTO of Hudson Rock, a cybercrime intelligence firm. Gal apparently picked up on there being something rotten regarding Facebook in January after hearing about a Bot that could produce phone numbers for Facebook users around the world.
(Actor Rock Hudson, totally unrelated to Hudson Rock and completely irrelevant to this story. I'm just trying to keep you on your toes...)
This isn't the first time Facebook has leaked a huge amount of PII. We wrote about it back in 2019 when 419 million user records were stored on a server that wasn't password-protected and accessible to anyone on the internet. And before that, when we wrote about the 600 million user passwords Facebook was keeping in a plain text file that was searchable by 2,000 internal Facebook staff members. Or when we wrote about the 50 million accounts that were easily harvested by Cambridge Analytica to help manipulate the 2016 Presidential election.
Needless to say...Facebook doesn't have a great record when it comes to security. If you're a Facebook user and this makes you uncomfortable (and it probably should) you might want to consider checking to see if your account is amongst the 553,000,000 leaked via Have I Been Pwned? Or even deleting your Facebook account entirely.
Warning: Deleting your Facebook account is a serious decision and one you have to prepare for (mentally and physically). The lotus-eaters in your life (aka friends and family) who are still on the social media platform will be confused and possibly concerned regarding your decision to leave.
If you're expecting some convoluted, multi-step process to delete your Facebook account, you're in for a treat. Honestly, all you have to do is click this link: https://www.facebook.com/help/delete_account
Once you step through the process, Facebook gives you up to 30 days to log back in and reverse the decision. Also, if you've got any accounts linked to Facebook (i.e., Instagram) that you continue to use, your Facebook account will be reactivated. You've got to unlink each account manually if you want to keep using them separately.
If you're interested you can download a copy of the information Facebook has on you. Since it's PII Data we recommend keeping it in a secure place if you decide to keep a copy of it.
Whatever you decide to do, you should be on the lookout for a rise in Social Engineering attacks using the leaked Facebook PII. If you're unfamiliar with what a Social Engineering attack is, check out this useful guide:
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.