533M Facebook phone numbers — 60s explainer (A04)

01 / 08 · Setup

YOUR NUMBER ON FACEBOOK.

you gave it for 2FA

02 / 08 · Tension

PRIVATE ? IN 2019 IT LEAKED.

03 / 08 · Reveal

CONTACT IMPORTER

a Facebook API bug enabled mass-lookup by phone number

04 / 08 · Mechanism

mass-lookup of numbers → full profiles

Attacker

list of phone numbers

Contact Importer API

Facebook database

name, surname, email

533,000,000 records from 106 countries

05 / 08 · Scale

533M RECORDS. 106 COUNTRIES.

2019 leak FB knew 2021 darknet

32M

USA

45M

Egypt

2.67M

Poland

06 / 08 · Discovery

JANUARY 2021

Alon Gal

CTO Hudson Rock

Darknet

sold for $5k

Facebook

silent since 2019

FB: "old data, nothing new"

07 / 08 · Penalty

€265,000,000

Ireland DPC fine (November 2022)

Class action ongoing. Facebook refused to notify affected users individually.

08 / 08

2.67M POLES

Your number could be bought for $0.01 each. Facebook knew since 2019. It disclosed — only when it was already too late.
Case A04 in Big Tech Files.