533 Million Facebook Accounts Just Leaked, and 'It's Old Data' Isn't the Comfort Facebook Thinks It Is
A scraped database of 533 million Facebook users' phone numbers and personal details surfaced free on a hacking forum, and Facebook is downplaying it.
Somebody posted a database on a hacking forum this weekend containing personal information on roughly 533 million Facebook users spread across 106 countries. Phone numbers, full names, locations, birthdates, some email addresses. And unlike a lot of leaks that get sold for a few hundred bucks in some corner of the dark web, this one is just sitting there, free, for anyone who wants it. Security researcher Alon Gal was among the first to flag it publicly, and once people started digging, it became clear how big the number actually was.
Facebook’s response so far is that this data came from a vulnerability in a contact-importer feature, one it says it patched back in August 2019. In other words: old news, already fixed, nothing to see here. They’re also pointing out that no passwords or payment information were included, which is true and worth noting. But I think leaning on “we already fixed the hole” kind of misses the point. The hole being fixed doesn’t put the data back. Once information is scraped at that scale, it’s out, permanently, regardless of whether the underlying bug still exists.
Why this matters more than a typical breach. Passwords get reset. Credit cards get reissued. But a phone number tied to your real name and birthdate doesn’t really have a “reset” button. This is exactly the kind of data set that fuels SIM-swapping attacks, targeted phishing, and social engineering — someone calling your phone company pretending to be you, armed with just enough real details to sound convincing. If your number is in this pile, the risk isn’t that someone drains your Facebook account tomorrow. It’s that this data becomes one more ingredient in some future scam that’s harder to trace back to its source.
There’s also a broader pattern worth naming here: this isn’t really a new hack. It’s 2019’s known vulnerability resurfacing as 2021’s mass leak, because scraped data has a way of circulating quietly for a while before someone decides to dump it publicly. That should worry people more than a fresh zero-day would, honestly, because it means the exposure window was long and largely invisible.
If you’re a Facebook user, there’s not a ton of direct action to take beyond the usual: be suspicious of unexpected calls or texts that reference personal details, treat SMS-based two-factor authentication as a weaker option than an authenticator app, and don’t assume “nothing bad happened yet” means nothing bad will. Companies at Facebook’s scale are going to keep collecting phone numbers as a matter of course — for account recovery, for ad targeting, for “security.” This leak is a pretty good reminder of the tradeoff baked into that convenience: the data has to sit somewhere, and it only takes one importer flaw, patched or not, to eventually get scraped clean.