Facebook data breach (2019) — what was exposed and what to do

What happened

According to public breach records, the Facebook data breach on August 1, 2019 is reported to have exposed the personal information of 509,458,528 accounts.

In April 2021, a large data set of over 500 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook's subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.

A dataset of roughly 533 million Facebook users from 106 countries was scraped by abusing the platform's contact-importer feature, which let users match phone numbers to profiles at scale; Facebook patched the underlying vulnerability in August 2019. The compiled data resurfaced publicly on a low-cost hacking forum in April 2021, where security researcher Alon Gal flagged it, and Facebook characterized it as "old data" obtained through scraping rather than a system intrusion. The exposed records combined phone numbers with names, locations, email addresses, gender, and relationship status, making them especially useful for SIM-swap, phishing, and spam-call campaigns. ["Treat your phone number as compromised: be alert for SMS phishing (smishing) and spam calls, and ask your mobile carrier to add a port-out/SIM-swap PIN to block account takeovers.", "Watch your email for targeted phishing that references real details (your name, employer, or location) to appear legitimate, and never act on unsolicited links or attachments.", "Enable two-factor authentication using an authenticator app rather than SMS, since your leaked phone number weakens text-based 2FA.", "Review and tighten your Facebook privacy settings so your phone number and profile fields are no longer discoverable, removing future scraping exposure."]

What data was exposed

The following types of personal data were compromised:

• Dates of birth
• Email addresses
• Employers
• Genders
• Geographic locations
• Names
• Phone numbers
• Relationship statuses

Breach details

This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.

We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Facebook; it reflects a publicly reported security incident.

What to do now

Based on the data exposed in this breach, here are the steps you should take:

• Treat your phone number as compromised: be alert for SMS phishing (smishing) and spam calls, and ask your mobile carrier to add a port-out/SIM-swap PIN to block account takeovers.
• Watch your email for targeted phishing that references real details (your name, employer, or location) to appear legitimate, and never act on unsolicited links or attachments.
• Enable two-factor authentication using an authenticator app rather than SMS, since your leaked phone number weakens text-based 2FA.
• Review and tighten your Facebook privacy settings so your phone number and profile fields are no longer publicly discoverable.

Check your exposure

Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.

Sources

• 533 Million Facebook Users' Phone Numbers and Personal Data Leaked Online — The Hacker News
• After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users — NPR