Mark Zuckerberg Uses WhatsApp Rival ‘Signal’ App, Facebook Data Leak Reveals

Mark Zuckerberg Uses WhatsApp Rival ‘Signal’ App, Facebook Data Leak Reveals

Due to a software vulnerability, a database containing the personal information of 533 million Facebook users is now circulating on the open internet. So why isn’t Facebook notifying who’s been affected?

The company hasn’t given a straight answer on the matter, except to emphasize the leaked data comes from an already patched vulnerability. “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” the social network said in a statement.

As a result, you’ll have to use a third-party website to find out if you were ensnared. Or you could try downloading the database yourself. The 20GB archive has already been freely circulating on the internet via a torrent for days now, putting affected users at greater risk.

According to Facebook, the vulnerability in question dealt with the company’s contact importer tool, which Forbes documented in September 2019. A security researcher uncovered that you could exploit the contact importer tool to type in a random phone number, and match it to a Facebook user.

Facebook points out the social network itself never provided the phone numbers. It also notes that once a phone number was matched to a Facebook ID, only a limited amount of already public information on the Facebook user’s account could then be pulled.

 

Still, it’s clear someone abused the vulnerability to learn the identities behind phone numbers across the globe. The compiled database containing the 533 million users—32 million of whom are based in the US—arranges the data by phone number, Facebook ID, full name, and location. In some cases, it also includes marital status, educational information, email address, and employer.


Was My Phone Number Leaked?

If you’d like to find out whether your data is in the leak, without downloading the 20GB database, you can try two ways. The first involves going to Haveibeenpwned.com, a trusted site that tracks data breaches. It received a copy of the Facebook database. Simply enter your email address, and the site will tell you if the address was in the database, an indicator your Facebook account was targeted.

The drawback with Haveibeenpwned.com is that how the 20GB database only contains 2,529,621 unique email addresses. That’s about 0.5% for all the user records in the archive, according to Troy Hunt, who runs Haveibeenpwned.com. Instead, the database primarily indexes users through phone numbers, which you can’t input on Hunt’s website.

In response, Hunt added the ability for users to type in their phone number to check whether they were affected.

In the meantime, a user named David Johnstone in Australia also created a website, where you can type in your phone number to determine whether your information is contained in the leaked database. (US users can click here.)

 

The only problem is that Johnstone’s website, a news aggregator called TheNewsEachDay.com, was only started a month ago, so it’s still working to build up trust. “I knew there was interest in a tool that could check if one’s phone number was in the data so I decided to make it myself because it was easy and I didn’t have anything else to do on the last day of this long weekend,” he told us in an email.

 

However, typing in your phone number into a random website isn’t exactly the best idea either. What if the same site is logging your information? In response, Johnstone says his website isn’t secretly recording anyone’s phone numbers. (He himself runs a business called Cycling Analytics, a web app for cyclists to analyze their riding.)

“I’m not saving the number or anything like that (but that’s what a person who is saving the numbers would say),” he told us. “ I’m not sure how much use there is to collect thousands of phone numbers when creating this tool requires having access to millions of phone numbers with names and other personal information, but it’s hard or impossible to prove my code isn’t doing anything nefarious.”

Another site called HaveIBeenFacebooked.com has also popped up, which allows you to enter your phone number to check whether your account was affected. But again, you’ll have to the trust site isn’t secretly logging your phone number.

If your personal information was ensnared, be on guard. By learning your phone number and name, a cybercriminal could come up with ways to try and scam you.

Leave a Comment