This is going to surprise absolutely no one, but less than a week after word that more than half a billion people had their personal data leaked from the world’s largest and least-loved social network, Facebook has apparently gone and done it again. A new Facebook data leak has been uncovered, this one including user phone numbers that weren’t part of the initial haul that was first reported this past weekend. That one, in case you forgot, included such personal information from more than 533 million Facebook users from 106 countries as their phone numbers, email addresses, birthdays, and full names.
On Friday, meanwhile, a Motherboard investigation found an online tool whereby customers can pay to obtain the phone numbers of Facebook users who “liked” a page on the social network, with these phone numbers being separate from the previous data cache noted above.
Motherboard published what seem to be the reactions of some Facebook users that the publication contacted via this method. “Hello … can you tell me how you got my number? one of the affected Facebook users asked. Replied another to Motherboard’s inquiry, “If you have my number, then yes, it seems the data is accurate.” And still another: “Omg, this is insane.”
This tool is a bot available via Telegram, and it works like this: “Customers” give the bot a unique ID code for the Facebook page, whose customers they want to get data from. The bot performs a quick analysis of the Facebook page and comes back with a price for the “customer.” Say you wanted to extract phone numbers of Facebook users who’ve liked a band or restaurant’s page. That would cost a few hundred dollars through this tool, per Motherboard.
Also important to note is the fact that the phone numbers extracted via this tool don’t show up in the Have I Been Pwned database that includes the Facebook data from over the weekend. Meaning, this appears to be an all-new data leak.
Facebook’s explanation for what happened that led to the previous data leak, we should point out, came days after the fact — and left a bit to be desired. For example, the company’s official blog post on the matter seemed to blame users themselves for leaving too much information on their profile set to “public” (ignoring the fact that Facebook’s byzantine bells and whistles have changed considerably over the years, and often defaulted settings to “public” with little warning or explanation). But if you believe that explanation, then you apparently also believe that the CEO of Facebook must have surely had his phone number publicly displayed on his Facebook profile, right?