A deep dive into the leaked data of 533 million Facebook users

On April 3rd, a security expert announced the discovery of a massive data leak that affected 533 million Facebook users. But if you’re worried about your email being compromised, you probably shouldn’t be – fewer than 10% of the profiles had their addresses exposed. On the other hand, nearly 90% of the users suffered from phone number leaks. But that’s not all, and that’s why our independent research partners dug into the details to illustrate the scope of the breach.

Now, this wasn’t a fresh leak – Facebook claims that this data was gained via a vulnerability that was patched up in August 2019. Portions of this data had already appeared on sale in January 2021. But the full package only surfaced this month. 

Overall, the leak produced 2,837,793,637 data points – meaning that the hackers, on average, exposed 5 types of data per user. “It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses,” said Vytautas Kaziukonis, CEO of Surfshark when talking about the breach. 

While the big worry online is about email addresses, this is not the part that should cause the most concern as a comparatively small 4,76% of the profiles had their email addresses exposed. However, 89.01% of affected users had their phone numbers leaked

Disclaimer: The data set for Facebook’s data breach was extremely large and complex to analyze; therefore, the probability of false positives and possible discrepancies should be taken into account.

All in all, 11 types of data points were exposed, with specifics varying from user to user. Here’s a chart that breaks it all down by type. Keep in mind that we’re counting the percentage of people affected by the breach:

Leaked data to feed SMS phishing attempts

What is the biggest, most worrying implication of this data? Its usefulness for SMS phishing. Scammers looking to impersonate actual services to steal your money and data can now match the names and the phone numbers of 89.01% of people exposed in the leak. 

The data set also allows matching names and phone numbers with additional data like location (60.58%) and employer name (18.30%) that helps to both choose the targets (especially for spear-phishing attempts targeting specific companies) or to make hacking attacks more believable.

Facebook users from Egypt were the most affected

Of more than 530 million compromised profiles, 32,315,291 were American. Egypt is the definite #1 victim of this hack, with the accounts of 45,183,147 Egyptian users being exposed. In general, the top 10 countries by breaches make up 50% of all the breach cases

If we wanted to compare which data point made up what percentage of data exposed by country, we can see that the types of data leaked are very similar worldwide. For example, phone numbers are always around 16-18% of all data points. Conversely, emails take up less than 1% of all data points per country. 

This is a call for users to be more cautious of phishing attempts. Whether it’s by SMS, email, or other means, always carefully check the sender, beware of any link and file attachments, look out for tell-tale grammar mistakes, and be suspicious of both the tone of urgency and offers that are too good to be true.

Why is so much information being leaked?

Data leaks are becoming more common: from mid 2020 to mid 2021, 1 billion people worldwide were affected by information breaches. These numbers are especially concerning since the hazards come from large corporations and social media sites.

This means that people have essentially no control over the security of their data, and can’t use privacy tools like VPNs to protect themselves. Most often, these companies won’t provide their services to you unless you give them your real information. 

It’s easy to tell someone to “not use such services.” But in a lot of cases, our social (social media, chatting platforms) and physical (healthcare, insurance) well-being depend on it.

Essentially, the problem boils down to people not having actual control over their privacy. Data is being collected at every corner, but is not being adequately protected.