People can now check whether their phone numbers are among the data stolen from more than 500 million Facebook users – including 11 million from the UK – and leaked online.
Facebook has confirmed that the data is related to a historic breach related to a technical flaw the company “found and fixed” in August 2019, although privacy regulators are now asking additional questions.
People can now search the independent and widely respected Have I Been Pwned? site – which monitors hacking forums for dumps – to see if their numbers are among those listed in the enormous dataset.
Searchers should include the country code with their query, so in the UK it would begin 4479… and so on.
Troy Hunt, the security researcher who runs the service, says he has seen “near-unprecedented traffic” over the past few days, prompting him to include the phone number search feature alongside its regular email address one.
Mr Hunt said that the Facebook data dump “changed” his thinking about why to only include email addresses rather than phone numbers.
“There’s over 500 million phone numbers but only a few million email addresses so more than 99% of people were getting a ‘miss’ when they should have gotten a ‘hit’ [when searching to see if their data was compromised],” he explained.
However, Mr Hunt criticised the company, stating: “Facebook are yet to put out a clear position on this. They’ve alluded to a 2019 incident being the root cause, but that doesn’t go far enough to explain the data in circulation,” he added, noting multiple different datasets were circulating in a lot of hacker forums.
“There’s a vacuum of information right now, and that vacuum is being filled with by a lot of speculation.”
In 2018, the social media giant disabled a feature that allowed users to search for one another via phone number following revelations that the political firm Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or consent.
In December 2019, a Ukrainian security researcher reported finding a database with the names, phone numbers and unique user IDs of more than 267 million Facebook users – nearly all US-based – on the internet.
In a statement relating to the most recent incident, Facebook said: “This is old data that was previously reported on in 2019.
“We found and fixed this issue in August 2019.”