14.3 million South Africa Facebook users hit by data leak – check if you are affected

VPN provider Surfshark has analysed the recently discovered Facebook data leak containing the data of 533 million users, and found that 14,323,766 of the leaked profiles were South African.

South Africa has the tenth highest number of breached accounts overall, the analysis showed, making it one of the countries most severely impacted by the leak.

“In general, the top 10 countries by breaches make up 50% of all the breach cases,” Surfshark stated.

According to NapoleonCat data, South Africa had 17.6 million Facebook users at the time Facebook closed the vulnerability that allowed the data to leak. Over 81% of all South Africans who had a Facebook account in August 2019 may therefore be impacted.

As a point of reference – only 96,121 South Africans were affected by Facebook’s infamous Cambridge Analytica scandal in 2018.

Security expert Alon Gal, the chief technology officer at Hudson Rock, first reported this latest leak via Twitter, revealing that all 533 million records had been posted to the dark web for free.

Gal’s report included screenshots of a list of countries that was posted by the person who leaked the database. This list had a line stating that the leak contained 14.3 million records for “Africa”.

However, the list also separately listed African countries like Angola, Algeria, Botswana, and Nigeria.

Surfshark’s analysis has now confirmed that the “Africa” line in the leaker’s list was actually South Africa.

Top 20 countries by the number of Facebook profiles affected (Click to enlarge)

Leak not due to a hack — Facebook

In response to Gal’s post and the ensuing news articles, Facebook’s director of strategic response communications, Liz Bourgeois, said that this was old data that was already reported in 2019.

“We found and fixed this issue in August 2019,” stated Bourgeois.

This explanation has been challenged, with Wired reporting that Facebook never disclosed the vulnerability that resulted in this specific leak.

The security flaw that allowed attackers to get their hands on the names, phone numbers, Facebook IDs, location information, and other sensitive data of millions of users was in Facebook’s contact importer.

“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” Facebook said in an official statement.

“This feature was designed to help people easily find their friends to connect with on our services using their contact lists.”

Facebook said that when it found out how attackers were using this feature in 2019, it made changes to the contact importer.

“In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.”

Facebook said that it is important to understand that attackers obtained this data not through hacking its systems, but by scraping publicly available information from the Facebook platform.

“The information did not include financial information, health information or passwords,” Facebook assured.

What data was leaked from South African accounts

Surfshark told MyBroadband that from the 14,323,766 South African Facebook accounts, 83,938,406 data points were leaked.

The attackers, on average, therefore exposed six types of data per user in South Africa, with specifics varying from user to user, a spokesperson for the company said.

“While the big worry online is about email addresses, this is not the part that should cause the most concern as a comparatively small 0.51% of the South African profiles had their email addresses exposed,” Surfshark stated.

“However, all affected users — 100% — had their phone numbers or Facebook IDs leaked.”

The data set also allows matching names and phone numbers with additional data like location (37,18%) and relationship status (21,41%), Surfshark said.

“That helps to both choose the targets or to make hacking attacks more believable.”

An attacker could use the data exposed in the leak to send SMS (or WhatsApp) phishing attacks to your number, Surfshark said. It could also be used to gather information for SIM swap fraud.

The table below summarises what data each of the South African Facebook profiles in this leak contained.

Leaked data by percentage of South African Facebook profiles affected
Leaked data point Number of profiles Percentage of profiles
Phone number 14,323,568 100%
Facebook ID 14,323,559 100%
First Name 14,290,821 99.77%
Gender 13,773,588 96.16%
Last name 14,296,184 99.81%
Location 5,325,530 37.18%
Employer name 4,465,408 31.17%
Relationship status 3,066,753 21.41%
Email address 72,995 0.51%

How to check if your phone number was leaked

Due to the fact that this leak contains mostly phone numbers rather than email addresses, data breach notification service Have I Been Pwned has added the ability to search its breach and leak database for your phone number.

“There’s been huge interest in the Facebook incident, and I’ve seen near-unprecedented traffic to Have I Been Pwned over the last couple of days,” said the founder of Have I Been Pwned, Troy Hunt.

Hunt said that he never planned to make phone numbers searchable, but the Facebook data leak changed his view.

“There’s over 500 million phone numbers, but only a few million email addresses in the Facebook leak,” he said. “This means 99% of people were getting a miss when they should have gotten a hit”.

To see if your number was part of the recent Facebook data leak, you can search for it on the Have I Been Pwned website.

Phone numbers are stored with the country calling code, so South African numbers start with 27.

To search for your number, you must add 27 at front of the number and drop the leading 0. The number 0821234567 will therefore change to 27821234567.

Now read: South African WhatsApp users cannot be forced to accept new privacy policy – Regulator

Latest news

Partner Content

Show comments


Share this article
14.3 million South Africa Facebook users hit by data leak – check if you are affected