News broke out over the weekend that more than 533 million Facebook accounts were compromised, with hackers stealing personal information that included phone numbers, emails, and more sensitive data. However, this isn’t a new hack. The attackers stole the data back in August 2019, and the hack made the news a few times. Before this weekend’s revelation, we last mentioned the massive Facebook hack back in mid-January when hackers were selling access to the data via Telegram. Specifically, hackers would let anyone attempt to find out either the Facebook ID or phone number of a user impacted by the hack.
An unexpected development made the old Facebook hack resurface yet again. The database has now been posted in the wild, giving everyone free access to all that sensitive info. Facebook responded to the hack in the worst possible way, saying that the hack is “old data” that Facebook found and fixed. This might be so, but it doesn’t change the fact that someone stole that information and that the data is now available to the public. Many of those 533 million people might still have the same phone numbers and Facebook IDs, information that other people with malicious intentions can use for nefarious purposes. The good news is that you can easily check if your Facebook account was included in this massive hack of 533 million Facebook accounts.
One way to check if your Facebook data is included in the leak is to get ahold of the stolen database. That might involve paying and trusting shady sources for access, and that’s not the route you should take. Instead, there’s a web service called Have I Been Pwned that lets you input your email and see whether it was stolen in any recent data breach.
I’ve had a heap of queries about this. I’m looking into it and yes, if it’s legit and suitable for @haveibeenpwned it’ll be searchable there shortly. https://t.co/QPLZdXATpt
— Troy Hunt (@troyhunt) April 3, 2021
If your email is associated with any hack, you should change the password for that service. That goes for the Facebook hack and any other data breach.
New breach: Facebook had 2.5M addresses exposed in an incident that impacted 533M subscribers' phone numbers. Most records contained name and gender, many also included DoB, location, relationship status and employer. 65% were already in @haveibeenpwned https://t.co/ltMkbZi9sK
— Have I Been Pwned (@haveibeenpwned) April 4, 2021
You should also consider changing the passwords to all the other services where you use the same username or password as Facebook. Recycling credentials is a bad idea to begin with, and you should start using unique passwords for each app and website. The best practice is to use a free or paid password management app like 1Password.
Checking whether the Facebook hack has impacted you by email might not be enough. As The Next Web points out, the founder of Have I Been Pwned, Troy Hunt, said on Twitter that he’s considering whether the database should be searchable by phone number. That way, you’ll know for sure whether your Facebook account was part of the breach.
The 533 million-account hack involves users in 106 different countries. Not all of them added their phone numbers to Facebook, but many people did. As Hunt explained on Twitter, “spam based on using phone number alone” is “gold.”
He continued, “Not just SMS, there are heaps of services that just require a phone number these days, and now there’s hundreds of millions of them conveniently categorized by country with nice mail merge fields like name and gender.”
Should the FB phone numbers be searchable in @haveibeenpwned? I’m thinking through the pros and cons in terms of the value it adds to impacted people versus the risk presented if it’s used to help resolve numbers to identities (you’d still need the source data to do that).
— Troy Hunt (@troyhunt) April 4, 2021
Hunt asked followers whether phone numbers should be searchable on the service, with nearly 68% of the vote in favor of the addition. People who are worried about the hack connecting their identity to their Facebook profile and phone number can take additional security steps like changing your phone number or even simply ditching Facebook. Of course, that won’t undo any damage that has already been done.