Blog: Debunking an RCE which CVSSv3 is 10.0 CVE-2020-35489
Blog: 533 million Facebook accounts leaked
Author: Vlad
Published on
"A Facebook data leak, you tap in a trash can, there are 10 that come out." Jean-Michel Sitassion, 2021.
You may have read it, seen it, heard it, someone released nearly 533 million Facebook accounts this weekend. I confess, this one is a bit of a scratcher, even if there are some regularly.
https://www.vice.com/en/article/7k95qg/facebook-leaked-the-data-of-533-million-users-and-didnt-tell
For France, there are 19 848 557, so many people! For the USA, there are 32 315 291 accounts.
Here is a table of the number of accounts by country: https://twitter.com/1337Ph4N70M/status/1379148925471457290
Among the data presented are :
- Phone number
- Email address (but not often)
- Unique account ID (because you can change the name as you like)
- First name, last name, gender, account creation date, date of birth
- City or town
- Relationship (as a couple...)
- Last year of study (I'm not sure about this field, called "education_last_year")
- Company
- Last update of the account Who wants the zero-six of Paul BIZMUT ?
By the way, Mark Zukerberg's information is also there, he has the ID number 4, it's the 4th account created on Facebook, but actually the first one because there is no one from 0 to 3 :
https://twitter.com/mikko/status/1378694432652939264
When did this leak happen?
Added 06/04/2021: the leak would have been done in two times, most of it in September 2019 https://twitter.com/joetidy/status/1379142610946777094?s=11
No idea, looking at the update dates, the leak would be from 2018 or 2019.
One buddy deleted his account in 2013 and is still there. Another deleted his account in 2013 and is not there.
I'm not there (but my account is pretty empty), my wife is not there... I feel like only people who gave Facebook her phone number are there.
Where does this leak come from?
Added 06/04/2021: the leak would come from Facebook.
Added 07/04/2021: Facebook didn't notify users of the leak in 2019 because... there's so much data taken or shared with other companies that well... huh... they're not going to bother with 500 million more π². My intro sentence was pretty much spot on π:
No idea π. We'll see announcements in the press in the next few days.
From Facebook directly, I doubt it.From an extraction from Facebook for statistics ("CSV" format) and stored somewhere without security, it's possible. From a subcontractor, maybe. From a client or partner, it's possible.
What to do?
Not much.
Yes, Europe might hit hard with RGPD (like many other countries).
Yes, these data could be used by dictatorships to catch unsuspecting dissidents....
But us, not much I think, except to do a class action, but I'm not a lawyer (I know some π ) :
- Please consider being wary of any future emails or phone calls you receive in the near future. Consider that our phone number is known to everyone by now and associated with your name;
- If you are a celebrity, a girl*... you might want to think about changing your phone number because the harassment might start soon. This is another reminder that social networks concentrate too much data, sold to too many people and that we must beware of them.
In the next days, sites offering to check if you are in the data leakage will swarm and I recommend you not to enter your personal data to check, like https://haveibeenzucked.com/
If I was setting up a site for this purpose, of course I would record all requests with the associated IP address π.
Happy Easter to all π and think of all those cybercriminals who just got a nice Easter present!
- no sexism here, I'm just sadly convinced that there are far more uneducated male morons who will harass girls with the information from this data leak.
