Has Facebook leaked your phone number?

Has Facebook leaked your phone number?

Unless you keep your social media at a pole’s distance, you have probably heard that an absolutely enormous dataset—containing over 500 million phone numbers—has been made public. These phone numbers have been in the hands of some cybercriminals since 2019 due to a vulnerability in Facebook that allowed personal data to be scraped from the social media platform, until it was patched it in 2019.

But now some miscreant has posted the entire dataset on a hacking forum, so every lowlife out there has access.

When did this happen?

In an apparent attempt to play down the seriousness of the situation, Facebook spokesperson Liz Bourgeois tweeted Saturday that the leak involved “old data that was previously reported on in 2019.” Some reports say the data was scraped in 2019, others talk about early 2020. To be honest, between scraping vulnerabilities dating back to 2010, and the Cambridge Analytica scandal, an old data breach is still a data breach, and you’re probably still going to need to pay attention to it. Whether you like it or not.

If you are, or were, a Facebook user this may very well concern you.

Why it still matters

Access to personal data allows cybercriminals to seem more believable when they pretend to be somebody, making social engineering and ID theft easier, and unlike passwords, many of them can’t be changed. There are countless examples of how personal information helps criminals, but here are three to give you a sense of what’s at stake.

The first thing that comes to mind is a scam where people text you pretending to be a relative or dear friend. First, they tell you they have a new phone number and then they ask you to transfer some money on their behalf.

The scam is more likely to succeed if the threat-actor has some private information that can convince you they are who they claim to be. And with the correlation between your Facebook profile and your telephone number, depending on your settings they can look up:

  • Who your family and friends are
  • How you phrase your responses to each other
  • Some events from your life to talk about

Together with your phone number, that gives them an excellent attack vector for this type of scam.

Another devilish scheme can unfold if they have enough information about you to convince your telephone company that they are the cell phone owner. This can usually be done by providing the carrier with a phone number, a home address and the last four digits of a Social Security number.

Or you could become a victim of a text variant of a Business Email Compromise (BEC). One of the most profitable phishing scams, which is easier to pull off if the threat actor has more information available.

Limiting what you share

First off, cybercriminals don’t care where or how they get your information, so take care to hide your personal information on Facebook from profile visitors that are not friends. Facebook has a help page for this called Control Who Can See What You Share.

Facebook privacy settings

Go through that list and ask yourself if everyone needs to see all of that, and what you would rather hide from prying eyes.

Also, now that you know the information is out there, be vigilant, especially about unsolicited texts and phone calls. If any new tactics evolve from this you can always read about it right here.

How to check if your phone number is involved

There are a few sites that offer you the chance to look up your phone number and see if it’s been leaked. One that we trust, and that allows visitors to look for phone numbers from every country is the well-known have i been pwned?

Troy Hunt, the security guru that runs HaveIBeenPwned, explains in detail why he decided to include this dataset as a searchable entity on his blog. If you are too curious and want to dive right in, please note that you need to enter your phone number in the E.164 international standard format. Which is not as hard as it sounds. Replace the trailing 0 with your country code, only use numbers, and you should be good to go.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.