Mobile telephone numbers and other types of personal data associated with around 533 million Facebook user accounts around the world have been disclosed on a hacker site, free of charge to interested parties.

The stolen personal information originally surfaced within the cybercriminal community back in Summer 2020 when one hacker forum member started selling data from the Facebook haul to other threat actors. This leak stood out last June because it contained Facebook member data that cannot be simply harvested from public account profiles and had private mobile telephone numbers for sale that were linked to the Facebook accounts.

The summer sale of Facebook data

The data for sale in June included information belonging to 533,313,128 users of the popular social media platform, and featured personal details like names, genders, mobile numbers, Facebook IDs, locations, occupations, dates of birth, relationship statuses and personal email addresses.

Samples of the data from Facebook viewed by IT help site, BleepingComputer, revealed almost each user record contained a name, Facebook ID, a mobile phone number and the user’s gender.

Cybercrime experts at intelligence company Hudson Rock commented at the time that they believed the hackers responsible exploited an unpatched weakness in the “Add Friend” feature on Facebook to access the users’ mobile telephone numbers during a cyberattack launched in 2019. The vulnerability has long since been patched, but the damage was already done, with over 500 million numbers successfully exfiltrated by the threat actors leaving members at risk of further attacks.

A statement from Facebook confirmed the origin of the leak in a recent comment:

“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”

Free Facebook information leaked online

Now this Facebook data originally sold online has been released free of charge on the same dedicated hacker forum. While data leaks are often initially sold via private sales with exceptionally high price tags attached, it has become common for them to later be sold for ever decreasing amounts. Eventually they are made available to other hackers for no charge at all, helping those responsible to make an impression with their peers in the hacker community.

Although the information may date back to 2019, both email addresses and phone numbers are commonly kept for many years, which makes the data leaked freely still valuable to cybercriminals.

The recent data release has been enthusiastically received by threat operators on the hacker forum as it can be used to carry out attacks on individuals exposed in the breach. Both mobile phone numbers and email addresses can be used in targeted phishing attacks. Mobile phone numbers can also be helpful to hackers seeking to intercept dual-authentication codes issued via text message.

All Facebook users whose accounts have been compromised by the free data leak are advised to remain cautious regarding any texts or emails they receive that request them to click on any added links.