What happened?

Details include:

Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.

Bad actors will certainly use the information for social engineering, scamming, hacking and marketing.

— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021

Last weekend, several reports came out about an alleged Facebook data breach that impacted 500 million users across 106 countries, including more than 800,000 users from the Philippines.

According to cybersecurity researcher Alon Gal behind Twitter handle @UnderTheBreach, this leak was due to a vulnerability in the social media platform’s system that was discovered in early 2020. In January of this year, he discovered a Telegram bot that allowed users to access the leaked data for a fee. But just last week, Gal discovered that the entire database has been posted on a hacking forum for free.

So yes, some people would have already accessed your phone number (and other supposedly private information!) because of this breach.

An old breach?

According to Facebook, this alleged vulnerability was fixed after a bug was corrected in 2019. In another statement to Bleeping Computer, Facebook said, “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”

Unfortunately, this isn’t the first time that Facebook went under fire for data leaks and privacy breaches. There was the 2019 breach that leaked millions of users’ numbers, but Facebook said that this was fixed and patched in the same year. The 2016 breach of Cambridge Analytica was also a hot topic, especially due to the then-ongoing US elections. Facebook vowed to crack down on data scraping and breaches after that, but it seems there are still issues.

How do you know if you were targeted?

But for spam based on using phone number alone, it’s gold. Not just SMS, there are heaps of services that just require a phone number these days and now there’s hundreds of millions of them conveniently categorised by country with nice mail merge fields like name and gender.

— Troy Hunt (@troyhunt) April 3, 2021

So how do you know if your Facebook account was affected by this data breach? You can use the data breach tracking site haveibeenpwned to check if you were targeted. Simply enter your email address and phone number connected to your Facebook account, and the site will immediately tell you if your data has been “pwned” or hacked.

If you find yourself a victim of a data breach, you should immediately take steps to protect yourself. But what else can you do to secure your Facebook account?

Putting up your info on social media? Maybe don’t

Did you list all your family members? Shared your likes and dislikes? Filled up your social media info as if it’s a slam book? You should STOP doing that. ASAP. For the love of all things holy.

Remember that you don’t need to share everything about yourself online. You would definitely have to give up some data, like your name and email address. But you can also definitely use Facebook without telling the world your full name (with middle name even), your parents, brothers, sisters, children, grandparents, uncle, aunt, nephews, nieces, etc., your ex in kindergarten, in school, last year, etc., your high school, your university, etc., your bank account details, credit card details, etc. You get the point.

Think before you click

Ask yourself — should I really be clicking that share button? Did you use a fake school in your profile? Don’t post photos of you at your campus. Used a fake birthday? Don’t post photos from your actual birthdate. If people really wanted to, they can dig and harvest your data from all the things you’re sharing online. So think first before clicking that share button.

That “Sign In with Facebook” feature isn’t worth the convenience

That feature looks convenient and seemingly harmless, sure. But in reality, it’s dangerous. You’re basically creating a direct pathway from that website or app to your Facebook account.

So you have to clean up the apps that have permission to access your Facebook account. One of those sites could have been hacked, and if you connected it to your Facebook account, there’s already a straight path for the hackers all the way to your data on Facebook. It could be an editing app, a game, or whatever, but you should definitely remove anything you aren’t using anymore.

And if you could just take those few more minutes to create a new and separate account, all the better for your online privacy.

Choose strong, unique passwords

You might be tired of hearing this, but this is important. Your password is your first line defense from any online attacks. So if you’re using the same password in one account like Facebook across all your other online accounts like your email or Twitter or a game, then you’re just giving the hackers the master key to your online homes.

Even if you think it’s too much of a bother, you should still create different passwords for all your online accounts. You can use a password manager to help you with this.

Register a trusted contact

Sometimes, it’s better to trust in something you can look in the eyes — a person instead of a machine. So Facebook created a feature that allows you to give a Trusted Contact (or three or five) access to your account in any case you’d be locked out. Just make sure to choose people you really trust and inform them that you’re adding them as Trusted Contact in your Facebook account as last resort.

What other way have you secured your Facebook account?