Insider said it reviewed a sample of the leaked phone numbers, birth dates, biographical details and more and found that some data matched known Facebook users' records. The Washington Post has not independently verified the information. Facebook said the leak involved "old" data stemming from a problem resolved in 2019, but the news still sparked renewed scrutiny of a social media giant previously dogged by high-profile concerns about data privacy.
"Bad actors will certainly use the information for social engineering, scamming, hacking and marketing," tweeted Alon Gal, the co-founder of an Israeli cybercrime intelligence company called Hudson Rock, who flagged the release of the Facebook data Saturday. Social engineering involves getting access to people's confidential information by gaining their trust rather than overcoming technical barriers - for example, by impersonating a tech support person.
"I have yet to see Facebook acknowledging this absolute negligence of your data," Gal tweeted. Gal said the compromised data also included Facebook IDs, full names, locations, some email addresses, relationship statuses and other details.
Facebook did not immediately respond to questions Saturday evening, but company spokeswoman Liz Bourgeois tweeted Saturday that the leak detailed by Insider involved "old data that was previously reported on in 2019."
"We found and fixed this issue in August 2019," Bourgeouis wrote.
Insider said a Facebook spokesperson told the news organization that the data was scraped through a now-fixed vulnerability.
The breach affected more than 533 million users spanning 106 countries, according to Insider, and includes more than 32 million records for users in the United States.
Gal told The Washington Post that the leaked database was previously sold for tens of thousands of dollars and then circulated, selling for lower prices until it finally was offered at no charge.
Early this year, Gal said, someone built a bot that gave people access to the database for a fee - a development that made the trove of data "much more worrisome," Gal tweeted at the time. Motherboard reported in January on that peddling of access in a "low-level cybercriminal forum."
On Saturday a user posted on a forum offering the data free.
The Post messaged the user on the app Telegram and did not immediately hear back.
Facebook - the world's most popular social media site, with well over 2 billion users - has drawn rebukes before for its handling of people's data. In 2019, the Federal Trade Commission fined the company $5 billion, alleging that it misled users about how third parties such as advertisers were accessing their personal information. Facebook did not have to admit guilt, but its settlement with the government included what was the largest privacy violation fine in American history.
The FTC began investigating after reports that Cambridge Analytica, a firm that worked with the campaign of former president Donald Trump, had improperly accessed names, "likes" and other information for millions of users without their knowledge.
- - -
The Washington Post's Tony Romm contributed to this report.