Online security platform Have I Been Pwned has added the ability for users to check if their mobile number has been compromised in the recent Facebook data leak.
The personal data of 533 million Facebook users who formed part of the leak included full names, phone numbers, birthdates, location data, and email addresses.
It also included users’ Facebook IDs, account creation dates, relationship status, and biographical information.
Although this Facebook user data was leaked last week, it was not a result of a recent data breach.
Facebook product management director, Mike Clark said malicious actors obtained this data by scraping it from their platform prior to September 2019.
Scraping is a common tactic that relies on automated software to lift public information from the Internet that can end up being distributed in online forums.
Clark said the people behind the malicious actors used their contact importer which was designed to help people easily find their friends to connect with using their contact lists.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer,” he said.
Hudson Rock chief technology officer Alon Gal said although the data scraping incident is not new, the online leak still has a huge impact on privacy.
Gal said the data will be used by cyber criminals for social engineering, scamming, hacking, and unsolicited marketing.
To address concerns from Facebook users, Have I Been Pwned has made phone numbers searchable in its database.
Have I Been Pwned has always allowed people to search across multiple data breaches to see if their email address has been compromised.
Have I Been Pwned founder, Troy Hunt has now added phone numbers to the search functionality because of the Facebook data leak.
“There’s been huge interest in the Facebook incident, and I’ve seen near-unprecedented traffic to Have I Been Pwned over the last couple of days,” Hunt said.
He never planned to make phone numbers searchable. The Facebook data leak, however, changed his view.
“There’s over 500 million phone numbers, but only a few million email addresses in the Facebook leak,” he said. “This means 99% of people were getting a miss when they should have gotten a hit”.
Hunt said the phone numbers were easy to parse out from well-formatted files. “They were also all normalised into a consistent format with a country code,” he said.
Facebook users who want to see if their personal information has been compromised in the Facebook leak can visit Have I Been Pwned and enter their mobile number.
All phone numbers are stored with their country calling code, so South African numbers start with 27.
To search for your number, you can add 27 in front of your number and drop the leading 0.
The number 0821234567 will therefore change to 27821234567.
It should be emphasised that if your number returns a positive result, it does not mean your password has been compromised.
However, credentials such as your full names, birthdates, location data, and email addresses, could have been exposed alongside your phone number.