How to check if your data leaked after the Facebook hack
Earlier this week, it was revealed data from 533 million Facebook accounts leaked online, including phone numbers, birthdates, full names, email addresses, and more.
The leaked data includes any information users posted on their public profiles but also information that isn’t public. According to The Record, the leak is dated from a breach that happened in 2019. The attacker abused a vulnerability in Facebook’s contacts importer feature and automated the collection of data until Facebook detected and cut off the attacker’s access in August of 2019. Although this breach is old, the leak has resurfaced this week in the news because the data is now being widely disseminated on cybercrime forums.
An easy way to check if your information was leaked is by visiting Have I Been Pwned. The tool will tell you if any of your data has been compromised based on your email address and now, your phone number.
Should the FB phone numbers be searchable in @haveibeenpwned? I’m thinking through the pros and cons in terms of the value it adds to impacted people versus the risk presented if it’s used to help resolve numbers to identities (you’d still need the source data to do that).
— Troy Hunt (@troyhunt) April 4, 2021
Troy Hunt, who created Have I Been Pwned, said Facebook users can perform a search with their email or phone number — the latter of which comes with its own set of privacy risks, but Hunt decided it’s ultimately a valuable service.
“There’s over 500M phone numbers but only a few million email addresses so >99% of people were getting a ‘miss’ when they should have gotten a ‘hit,’” Hunt said. “The phone numbers were easy to parse out from (mostly) well-formatted files. They were also all normalised (sp) into a nice consistent format with a country code. In short, this data set completely turned all my reasons for not doing this on its head.”
Hunt explained that being able to search using your phone number is unique to this Facebook data breach, and won’t become the norm in the future. That is unless Hunt sees a similar value proposition.
“I’m not about to go trawling back through huge volumes of previous breach data and parsing out phone number,” Hunt said. “But if there’s a repeat of the Facebook situation in the future, I’ll be well-positioned to get the data loaded in.”
If your email address doesn’t produce a hit, you can input your phone number by first inputting your country calling code. In North America phone numbers start with 1; in Australia it’s 61; and the U.K. it’s 44. The chart below was shared by Hunt if you’re a more visual learner.
Image via Troy Hunt
If you discover that your data was leaked, it’s critical that you take precautions right away. Since passwords weren’t part of the Facebook breach but phone numbers and other identifying information were, be on the lookout for a wave of spam, phishing, and harassment attempts. You should also consider using a password manager if you aren’t already. They help create and manage your existing passwords, and can also create unique passcodes to use for two-factor authentication. I’ve used 1Password for several years now, but there are many other options available.
Lastly, if you decided you have had enough of Facebook, check out our article on how to delete your Facebook account.