Have I Been Pwned included a search for data leaked from Facebook by phone number

Last weekend, the data of 533 313 128 Facebook users were published on the darknet, and now Have I Been Pwned included a search for data leaked from Facebook by phone number.

This leak differed from others by the fact that it contained not only data from public profiles, but also phone numbers associated with these accounts.

According to information security experts, back in 2019, cybercriminals exploited a vulnerability related to the Add a Friend function, which allowed them to gain access to phone numbers. This bug has been fixed long time ago.

Facebook representatives confirmed the leak, but said that “this is an old data, which was previously reported in 2019.”

In a recent statement, the company says that the leak is not associated with any vulnerability or hacking, but with the usual data scraping. That is, in 2019, scammers “who deliberately violate the platform’s policy” simply collected information from public user profilesmby abusing contact import functions.

The Have I Been Pwned Leak Aggregator has already added a leak to its base. That is, anyone can check if this problem affected him. At first, verification was possible only by email address, but only 2.5 million of 533 million records included an email address. That is, a search by email address most often yielded no results.

As a result, the founder of the resource, Troy Hunt, added the option to search by phone numbers to HIBP, although this was a non-trivial task due to the different number formats. A phone number search is performed with the addition of a specific country and region code, as shown in the illustration below.

Let me remind you that the Italian company TG Soft has launched a Have I Been Emotet service (similar to the well-known Have I Been Pwned), which checks if a specific domain or email address was used as a sender or recipient in Emotet spam campaigns.