Fact Check

Was the Personal Info of a Half-Billion Facebook Users Leaked Online?

Facebook said the data breach happened in 2019.

Bethania Palma

Published April 7, 2021

KIRCHHEIM UNTER TECK, GERMANY - MARCH 09: (BILD ZEITUNG OUT) In this photo illustration, The Facebook logo on the screen of an iPhone on March 09, 2021 in Kirchheim unter Teck, Germany. (Photo by Tom Weller/DeFodi Images via Getty Images) (DeFodi Images / Getty Images)
Image courtesy of DeFodi Images / Getty Images
Claim:
More than half a billion Facebook users had some personal information leaked onto a hacker forum in April 2021.
Rating:
True
True

About this rating

On April 3, 2021, Business Insider reported that the personal information of more than half a billion Facebook users was dumped onto a hacking forum:

The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

Business Insider reported that the exposed data was posted in a "low-level hacking forum" on April 3.

The data breach was indirectly confirmed by Facebook, which said in an April 6 blog post that the problem initially occurred in 2019 and has since been fixed:

We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.

When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords.

We reached out to Facebook and asked whether the company would notify users affected by the breach, but didn't get a response in time for publication. We will update if we hear back. A Facebook spokesperson told Reuters, however, that it doesn't have plans to do so. In lieu of that, Facebook users can check the website Have I Been Pwned to see if their email addresses or phones have been part of that or other data breaches.

As Wired reported, victims of the breaches included some notable figures, including Facebook cofounder and CEO Mark Zuckerberg and several high ranking government officials in the U.S. and Europe.

By Bethania Palma

Bethania Palma is a journalist from the Los Angeles area who started her career as a daily newspaper reporter and has covered everything from crime to government to national politics. She has written for ... read more