Facebook Data Leak: What Happened and What Should I Do?

Woman holding and looking at her smartphone with the GreyCastle Security logo and the text "Facebook Data Leak: What Happened & What Should I Do?" superimposed

You may have seen something about a Facebook leak on the news or on your social media feeds. On April 6, Facebook acknowledged that personal information from 533 million Facebook users in more than 106 countries has been compromised. In light of this event, you should take this opportunity to look at your personal data security habits.

What happened?

In 2019, malicious actors used automated software to scrape user data from Facebook via the tools used to import contacts. Facebook became aware of this activity in September 2019 and fixed the vulnerability, but they did not publicly announce their findings. In January 2021 the cybercrime intelligence firm Hudson Rock discovered the database of personal information for sale on a ‘low-level hacking forum.’ The data has since been released on the same forum for free. Facebook has announced that they do not plan to notify affected users.

What was compromised?

According to Facebook, only information that was publicly available on user profiles was included in this dataset. The data trove contains phone numbers, email addresses, hometowns, full names, and birthdates. No sensitive information such as passwords, credit cards, or social security numbers were found in the database, but the personal information leaked could leave users vulnerable to phishing scams or identity fraud.

What should I do?

Our cybersecurity experts recommend the following steps:

  • Change your Facebook password, just in case. If you use your Facebook password for other sites, change those passwords as well.
  • Review your Facebook account activity for any unrecognized posts, messages, or app authorizations.
  • Use a trusted third-party service like HaveIBeenPwned to check whether your information was included in this leak (or other breaches). They have recently updated their service to include phone numbers in the wake of this Facebook event.
  • If your personal information has been compromised, consider fraud or credit monitoring services. Many banks and credit card companies provide this service at little to no charge.
  • For more information, see MIT Technology Review’s article, CNN’s coverage, or Facebook’s official release.