Anatomy of a Breach

Anatomy of a Breach: Facebook — 533 Million Phone Numbers and Personal Data Posted Free Online

> series: anatomy_of_a_breach —— part: 148 —— target: facebook —— records: 533,000,000 —— uk_records: ~11,000,000 —— price: free<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2021 12 min read
facebook 533-million phone-numbers data-scraping free-dump api-vulnerability series
Breach #148

533 million records. 106 countries. Posted for free. Including 11 million UK records.

In April 2021, the personal data of approximately 533 million Facebook users from 106 countries was posted for free on a hacking forum. The data included phone numbers, full names, locations, dates of birth, email addresses, and biographical information. Approximately 11 million UK records were included. The data had originally been scraped from Facebook in 2019, exploiting a vulnerability in the platform's contact importer feature that allowed bulk lookups of phone numbers against user profiles.

Facebook (now Meta) argued that the data had been scraped rather than stolen through a traditional breach, and that the underlying vulnerability had been patched in 2019. But for the 533 million affected individuals, the distinction was academic: their personal data — including phone numbers, which are particularly valuable for targeted phishing, SIM-swapping attacks, and identity verification bypass — was now freely available to every criminal on the internet. The Irish DPC (Facebook's EU lead regulator) investigated and fined Meta €265 million for the underlying API vulnerability.

Phone Numbers as Attack Surface
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Phone numbers enable SIM-swapping, vishing, and MFA bypass.

Phone Numbers Are Sensitive Data
Phone numbers enable SIM-swapping attacks (taking over someone's phone number to intercept MFA codes), vishing (phone-based social engineering, as seen in the <a href="/blog/anatomy-of-a-breach-twitter-hack">Twitter hack</a>), and targeted smishing (SMS phishing). The 533 million phone numbers in this dump massively expanded the attack surface. <a href="/cyber-essentials">Cyber Essentials Danzell</a> recommends authenticator apps or hardware tokens over SMS-based MFA for this reason.
Posted for Free — Not Sold
Previous credential dumps were sold on dark web marketplaces. The Facebook 533M dataset was posted for free — eliminating even the minimal cost barrier to acquiring the data. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when your organisation's data appears in public dumps.
API Scraping — Again
The data was collected through Facebook's API — the same pattern as <a href="/blog/anatomy-of-a-breach-cambridge-analytica">Cambridge Analytica</a> (2018). API abuse for data scraping continues to be a persistent threat. Our <a href="/penetration-testing/api">API penetration testing</a> assesses rate limiting, enumeration protection, and scraping defences.
€265 Million DPC Fine
The Irish DPC fined Meta €265 million for the API vulnerability that enabled the scraping — one of the largest GDPR fines imposed. Under UK GDPR, the ICO has equivalent enforcement powers. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates the security measures that reduce regulatory exposure.
Lessons

Scraped data becomes public data. Protect your APIs accordingly.

The Facebook 533M leak reinforced that data scraped through API vulnerabilities eventually becomes publicly available — harming individuals regardless of whether the collection is classified as a 'breach' or 'scraping.' For UK organisations, the lesson is to protect APIs against bulk scraping with the same rigour as traditional breach vectors. API penetration testing assesses scraping defences. Cyber Essentials mandates access controls. SOC in a Box monitors for API abuse patterns. And UK Cyber Defence provides incident response when data exposure is discovered.

API Scraping Defence

533 million records scraped through an API and posted for free. Are your APIs protected against bulk scraping?

Our <a href="/penetration-testing/api">API testing</a> assesses scraping defences. <a href="/cyber-essentials">Cyber Essentials</a> mandates access controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for API abuse.

Commission an API Assessment Next: Colonial Pipeline
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 July 2022

Anatomy of a Breach: Twitter — 5.4 Million Users' Phone Numbers Exposed Through an API Vulnerability

Breach #163. In July 2022, it was confirmed that a Twitter API vulnerability — reported through Twitter's bug bounty programme in January 2022 and patched — had been exploited before the fix to scrape the personal data (including phone numbers and email addresses) of approximately 5.4 million Twitter users. The scraped data was offered for sale on a hacking forum. A larger dataset of 200 million Twitter email addresses subsequently surfaced. The breach followed the identical pattern of API scraping vulnerabilities that had affected Facebook (533M, 2021) and LinkedIn (700M, 2021) — proving that API enumeration and scraping remain persistent, industry-wide vulnerabilities.

twitter api-vulnerability
11 min read
Anatomy of a Breach 28 February 2023

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

Breach #170. In January 2023, T-Mobile US disclosed that an attacker had been accessing 37 million customer records through one of its APIs since approximately 25 November 2022. The exposed data included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan details. T-Mobile stated that no passwords, payment card information, or Social Security numbers were compromised. The breach — T-Mobile's sixth documented appearance in the Anatomy of a Breach series — was discovered on 5 January 2023, meaning the attacker had approximately 41 days of undetected API access.

data-breach t-mobile
12 min read
Anatomy of a Breach 30 April 2019

Anatomy of a Breach: Facebook — Hundreds of Millions of Passwords Stored in Searchable Plaintext

Breach #124. In March 2019, Facebook disclosed that hundreds of millions of user passwords — including those of Facebook, Facebook Lite, and Instagram users — had been stored in searchable plaintext within internal logging systems, accessible to approximately 20,000 Facebook employees. The passwords had been logged in plaintext as far back as 2012. While Facebook stated it found no evidence of external access or misuse, the disclosure — coming just a year after Cambridge Analytica and six months after the access token breach — further eroded trust in the platform's security practices.

facebook plaintext-passwords
11 min read
All Posts Get in Touch