The data was an instant success within the cybercriminal community. Within 5 days, more than 4,800 forum members had unlocked the data with their tokens the thread received over 1,000 replies and 200,000 views, making it one of the most viewed threads on the criminal forum. However, while Facebook fixed the feature in 2019, the phone numbers of 533 million users had already been harvested by malicious individuals, along with other identifying information on users.
Facebook stated that this feature was fixed in September 2019, following the discovery that threat actors were abusing the feature. This feature could have been exploited by uploading large sets of phone numbers and identifying which Facebook profiles matched the numbers. Facebook stated that they believed that cybercriminals accomplished this by exploiting Facebook’s “contact importer” feature, which allows users to find other users by using their phone numbers. Threat actors were able to harvest users’ phone numbers, even if the users had set their number to be private on their Facebook profiles. However, the data exposed from Facebook wasn’t your usual data scraping incident. If users set their emails, names, and locations to be public, then that data could be viewed and harvested by virtually anyone. As previously mentioned, data scraped from sites is usually public data.
