The personal information of over 500 million Facebook users has been published on a hacker forum on the dark web. To put the impact into perspective, in 2019, the population of the entire United States was 328.2 million.
This data was stolen in 2019 after a vulnerability in Facebook’s ‘Add Friend” function was exploited. The vulnerability has now been patched, but the victims of the breach have been impacted for the second time after the data was published on the dark web on April 3 where it can be purchased for only $2.19.
The leaked Facebook data could include any of the following user information:
- Mobile number
- Email address
How to find out if your Facebook data was leaked
To find out if your Facebook data is included in this breach, search the email address linked to your Faceook account on the website Have I Been Pwnd? This search engine indexes all data breaches associated with a specified email address.
Here’s how you do it.
Step 1: Load the Have I Been Pwned website.
Step 2: Search the email address linked to your Facebook account
The search results will list all of the breached accounts linked to your email address and the specific data that was compromised in each breach.
What to do if your Facebook data was leaked
If you’ve been impacted by a breach, whether it was the Facebook breach or any other incident, the first thing you should do is change all account passwords associated with your email, especially if your compromised passwords are unchanged.
Passwords are seldomly changed across accounts, so a single breach could give threat actors access to all accounts linked to the impacted email address. To best protect your personal data, you should use a different password for each of your accounts and enable multi-factor authentication.
The second important thing to be aware of is that you will likely be targeted in multiple phishing attacks. In a phishing attack, a seemingly innocuous email is sent to an impacted email address. When the recipient clicks on a link in the email, a series of malicious actions are activated which could include, credential theft and even unsolicited bank account withdrawals if you’re logged into your bank at the time.
IMPORTANT: If a senders domain matches the domain name of the represented business, that does not guarantee that the email is not malicious. If a domain does not have the required security filters in place, cybercriminals could send fake emails on the business’s behalf.
Before replying to any business email you should always confirm its legitimacy by contacting the business directly either by phone or via a separate new email.