Hackers claim to have stolen 1.2 billion Facebook user records

The massive database was posted on a forum dedicated to sharing leaked information, with the group claiming that it was not a collection of old records, but a completely new trove of data. If confirmed, it could be one of the largest unauthorized harvesting of user data ever to happen to Facebook.

The Cybernews team analyzed a sample of 100,000 unique Facebook user records, taken from the attacker’s initial post. While it’s just a small portion of the supposed 1.2 billion-record dataset, the researchers said the information in the sample appears to be valid.

According to initial analysis, the data contains sensitive information fields such as: user ID, full name, email address, username, phone number, location, date of birth and gender, enough to create serious privacy risks if exploited.

However, experts warn that caution is needed before confirming the authenticity of the entire claim, in part because this is only the second post by the group on the forum, and the previous post contained much less data.

“It is possible that they initially tested a small portion of the data, then continued to collect or aggregate data to increase the number to 1.2 billion records,” the research team said.

If confirmed, this would be one of the largest user data breaches ever recorded on the Facebook platform, further raising questions about how Meta protects users' personal information.

“The incidents show that Facebook is taking a reactive rather than proactive approach to security, especially when it comes to sensitive yet publicly accessible data. The lack of robust protections and transparency not only erodes trust, but also puts millions of users at risk of fraud, identity theft, and long-term privacy implications,” Cybernews reported.

At 1.2 billion records in size, the leaked data set could be an extremely dangerous tool in the hands of cybercriminals. Possessing a large volume of email addresses, phone numbers, and authenticated personal information from Facebook users makes it easy for attackers to automate phishing campaigns and target targets at scale.

Instead of requiring manual action, these campaigns can be deployed using automated robots that generate millions of spoofed messages, malicious messages, or fake login requests, personalized based on collected data.

Knowing that the email addresses on the list are actually tied to Facebook accounts makes the scams even more convincing. Hackers can target individual users with sophisticated phishing campaigns, impersonating Facebook or related services to steal login credentials, take over accounts, or commit financial fraud.

API abuse is an increasingly popular tactic for threat actors, according to security experts. In the first half of this year, several major platforms including Shopify, GoDaddy, Wix, and OpenAI were targeted by API exploit attacks.

Financially motivated attackers even use similar techniques to illegally access cryptocurrency wallets, or harvest personal data from inadequately protected systems.

APIs are an essential part of modern digital infrastructure, allowing different services to interact and share data. However, this flexibility makes APIs vulnerable if not tightly controlled. Attackers can exploit legitimate APIs to exfiltrate data at a speed and scale far beyond the developer’s original intent.

Facebook data being harvested illegally is nothing new. Last year, Meta itself admitted that it had used public data from Facebook and Instagram to train its AI assistant, a move that sparked controversy over privacy.

Earlier in 2021, another major leak involving data from more than 500 million Facebook users, including phone numbers and locations, resulted in the company being fined €265 million by the Irish Data Protection Commission (DPC).

“The repeated incidents show that Facebook and many other platforms are still maintaining a reactive rather than proactive security model, especially when it comes to controlling public but sensitive data,” the research team warned.

“Without rigorous defense mechanisms and the necessary transparency, user trust is eroded and millions of people become potential targets for fraud, scams, or even identity theft,” the research team said.