Hackers claim to have stolen 1.2 billion Facebook user records

The massive database was posted on a forum dedicated to sharing leaked information, with the group claiming it was not a collection of old records, but a completely new trove of data. If confirmed, it could be one of the largest unauthorized harvesting of user data ever to happen to Facebook.

The team at Cybernews analyzed a sample of 100,000 unique Facebook user records taken from the attacker's initial post. While it's just a small portion of the supposed 1.2 billion record dataset, the researchers say the information in the sample appears to be valid.

According to initial analysis, the data contains sensitive information fields such as: user ID, full name, email address, username, phone number, location, date of birth and gender, enough to create serious privacy risks if exploited.

However, experts warn that caution is needed before confirming the authenticity of the entire claim, in part because this is only the second post from the group on the forum, and the previous post contained much less data.

“It is possible that they initially tested a small portion of the data, then continued to collect or aggregate data to increase the number to 1.2 billion records,” the research team said.

If confirmed, this would be one of the largest user data breaches ever recorded on the Facebook platform, further raising questions about how Meta protects users' personal information.

“The incidents show that Facebook is taking a reactive rather than proactive approach to security, especially when it comes to sensitive but publicly accessible data. The lack of robust safeguards and transparency not only erodes trust, but also puts millions of users at risk of fraud, identity theft, and long-term privacy implications,” Cybernews reports.

With a size of up to 1.2 billion records, the leaked data set could become an extremely dangerous tool in the hands of cybercriminal groups. Possessing a large volume of email addresses, phone numbers and authenticated personal information from Facebook users makes it easy for attackers to automate phishing campaigns and attack targets at a large scale.

Instead of requiring manual action, these campaigns can be deployed using automated robots that generate millions of spoofed messages, malicious messages, or fake login requests, personalized based on collected data.

Knowing that the email addresses on the list are actually tied to Facebook accounts makes the scams even more convincing. Hackers can target individual users with sophisticated phishing campaigns, impersonating Facebook or related services to steal login credentials, take over accounts, or commit financial fraud.

API abuse is an increasingly popular tactic for threat actors, according to security experts. In the first half of this year, several major platforms including Shopify, GoDaddy, Wix, and OpenAI were targeted by API exploit attacks.

Financially motivated attack groups even use similar techniques to illegally access cryptocurrency wallets, or harvest personal data from inadequately protected systems.

APIs are an integral part of modern digital infrastructure, allowing different services to interact and share data. However, this flexibility can also make APIs vulnerable if not tightly controlled. Attackers can exploit legitimate APIs to extract data at a speed and scale far beyond the developer's original intent.

Facebook data being illegally harvested is nothing new. Last year, Meta itself admitted that it used public data from Facebook and Instagram to train its AI assistant, a move that sparked controversy over privacy.

Earlier in 2021, another major leak involving data of more than 500 million Facebook users, including phone numbers and locations, resulted in the company being fined 265 million euros by the Irish Data Protection Commission (DPC).

“Repeated incidents show that Facebook and many other platforms are still maintaining a reactive rather than proactive security model, especially when it comes to controlling public but sensitive data,” the research team warned.

“Without rigorous defense mechanisms and the necessary transparency, user trust is eroded and millions of people become potential targets for scams, fraud, or even identity theft,” the research team said.