Hundreds of millions of phone numbers, perfectly sorted and ready to use.
In the long and troubled history of digital identity, few moments clarify the fragility of personal data quite like this one: the private details of over half a billion people — names, phone numbers, birthdates, locations — have surfaced freely on the open internet, the residue of a vulnerability Facebook says it patched nearly two years ago. What was once sold quietly through back channels now requires no payment, no barrier, no accountability to access. The event asks an old question in a new register: when a company holds the intimate coordinates of human lives, what obligation does it carry when those coordinates escape?
- Personal data from 533 million Facebook accounts across 106 countries is now freely available online — no payment, no technical sophistication required to obtain it.
- The breach exposes phone numbers, full names, birthdates, and locations, giving bad actors a pre-sorted directory primed for scams, social engineering, and mass account takeovers.
- What began as a paid commodity sold through a Telegram bot has crossed a threshold — once data is free and widely distributed, it cannot be recalled or contained.
- Facebook acknowledges the underlying vulnerability was patched in August 2019 but has offered no remediation plan for the hundreds of millions of people whose information is now permanently in circulation.
- Security researcher Troy Hunt has loaded roughly 2.5 million exposed email addresses into Have I Been Pwned, giving users a way to check their exposure — though the more dangerous phone numbers remain under ethical deliberation.
A dataset containing the personal information of over 533 million Facebook users has surfaced online, freely accessible to anyone with the knowledge to find it. Spanning 106 countries — with 32 million American, 11 million British, and 6 million Indian users among those affected — the records include phone numbers, full names, locations, birthdates, relationship statuses, and in some cases email addresses. Security researcher Alon Gal first surfaced the leak; Insider subsequently verified portions of the data as authentic.
The dataset is not entirely new. Earlier this year, portions of the same information were being sold through a Telegram bot, accessible only to those willing to pay. What has shifted is the barrier to entry: the data is now free. Gal warned that it would inevitably be used for social engineering, financial fraud, and targeted hacking campaigns — a prediction that security professionals consider a near certainty given the scale and organization of the records.
Facebook has maintained that the vulnerability enabling the original scrape was discovered and patched in August 2019, framing the leak as a historical incident rather than an active threat. The company has offered no plan to notify or assist the hundreds of millions of people whose data now circulates permanently beyond its control.
Troy Hunt, who operates the Have I Been Pwned breach-notification service, examined the dataset and found it credible, loading approximately 2.5 million unique email addresses into his database for public lookup. But Hunt was clear that email addresses are not the sharpest edge of this breach — the phone numbers are. Hundreds of millions of numbers, sorted by country and paired with identifying details, hand spammers and account-takeover attackers an almost perfectly organized contact list. Whether to add those phone numbers to Have I Been Pwned is a decision Hunt has not yet made, one that carries its own quiet ethical weight.
A massive trove of personal information belonging to over half a billion Facebook users has surfaced online, available to anyone willing to look for it. The dataset encompasses 533 million accounts spread across 106 countries, with particularly heavy concentrations in the United States, United Kingdom, and India. Security researcher Alon Gal first reported the leak, and Insider subsequently verified portions of the exposed records to confirm their authenticity.
The information contained in these leaked files reads like a comprehensive personal directory. Each record includes a phone number, Facebook ID, full name, current location, previous locations, birthdate, account creation date, relationship status, and biographical information. In some cases, email addresses are also present. The sheer breadth of this data—spanning 32 million American users, 11 million British users, and 6 million Indian users—means that hundreds of millions of people now have their most basic identifying information circulating in the open.
This particular dataset is not entirely new. Earlier in January, security researchers had discovered that portions of the same information were being sold through a Telegram bot, with bad actors charging money for access to specific slices of the data. What has changed now is the barrier to entry. The information that once required payment is now freely available to anyone with the technical knowledge to find it. Security researcher Alon Gal warned that the exposed data would inevitably be weaponized for social engineering attacks, financial scams, hacking attempts, and targeted marketing campaigns.
Facebook's response has been consistent but limited. The company told multiple news outlets that the underlying vulnerability responsible for the leak was discovered and patched in August 2019. According to Facebook's account, bad actors exploited a flaw in the platform's systems to scrape user information before the company closed the security hole. The company has offered no details about what remediation steps, if any, it plans to take for the hundreds of millions of people whose data is now permanently in circulation.
Troy Hunt, who maintains the Have I Been Pwned database—a service that allows people to check whether their personal information has appeared in known breaches—examined the leaked dataset and found it credible. He identified approximately 2.5 million unique email addresses within the leak, which he has already loaded into his database so users can verify their exposure. However, Hunt emphasized that the email addresses, while significant, are not the most dangerous element of this breach. The real threat lies in the phone numbers. With hundreds of millions of phone numbers now organized by country and paired with names and other identifying details, spammers and scammers have essentially gained a perfectly sorted contact list. Services that rely on phone number verification for account access—and Hunt notes there are many—now face a landscape where attackers can attempt mass account takeovers using this data. Hunt is still deliberating whether to add the phone numbers to his Have I Been Pwned service, a decision that carries its own ethical weight.
Citações Notáveis
Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.— Alon Gal, security researcher
For spam based on phone numbers alone, it's gold. There are heaps of services that just require a phone number these days and now there's hundreds of millions of them conveniently categorised by country.— Troy Hunt, creator of Have I Been Pwned
A Conversa do Hearth Outra perspectiva sobre a história
Why does it matter that this data is now free when it was already being sold before?
Because access changes everything. When information costs money, only determined criminals with resources pursue it. Free data gets weaponized at scale. Every spammer, every scammer, every person with a script can now use it.
Facebook says they fixed this in 2019. Doesn't that mean the problem is solved?
It means they closed the door after the theft. The data was already copied. Fixing the vulnerability doesn't bring back what leaked—it just prevents new leaks from the same hole.
You mentioned phone numbers are the real danger here. Why more than email addresses?
Email requires you to know someone's password or to trick them into resetting it. A phone number is a master key to dozens of services. Banks, social media, messaging apps—they all use phone verification. With 533 million numbers organized by country and paired with names, attackers can run automated takeover attempts.
Can people do anything to protect themselves?
They can check Have I Been Pwned to see if they're in the dataset. Beyond that, it's limited. The data is already out there. The best defense is changing passwords, enabling two-factor authentication, and being suspicious of unexpected messages.
What does Facebook owe these users?
That's the question no one has answered. Facebook hasn't announced any compensation, credit monitoring, or even a clear explanation of what happened. They've just said the vulnerability is fixed and moved on.