267 million Facebook profiles being sold online: What to do
Data includes names, phone numbers, Facebook IDs
An online crook is selling information harvested from 267 million Facebook profiles in a "dark web" marketplace for — well, only about $600.
Before you get alarmed, the data set is clearly not very valuable, judging by what's been posted about it by Bleeping Computer and the Singaporean information-security firm Cyble.
- How to stop Facebook from sharing your data
- The best identity theft protection: Keep your personal data safe
- Google Chrome security alert impacts billions: What to do
Most of the entries include Facebook users' full names, phone numbers and Facebook ID numbers. Some may also include users' email addresses, birth dates, gender and home state (most of the data involves U.S. residents), but there are no passwords involved.
Even more significantly, this is apparently the same Facebook-user data set we saw exposed (but not sold) online back in December 2019.
The data is likely to be a few years old, as it consists of what you could legitimately "scrape" from Facebook before the social network tightened up its access rules in mid-2018. It doesn't appear that the information was harvested in any kind of data breach.
How dangerous is this data?
Nonetheless, the names and phone numbers would be useful to telemarketers, robocallers and scammers, who can sound much more convincing to potential victims if they know the victims' names.
The records that include birth dates would be valuable to identity thieves. But it's not clear how many of the records among the 267 million include birth dates.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
What you can do about the Facebook data dump
Unfortunately, there's not a whole lot you can do about this right now. Names and phone numbers aren't secrets, for the most part. You could sign up for one of the best identity theft protection services, but it's not clear if doing so would help.
Cyble has bought a copy of the database and added it to its AmIBreached.com website, but you'll have to pay for the privilege of looking up your own name or email address to see if it's involved in this data dump. (Cyble is offering three months free.)
We would be glad to see the free HaveIBeenPwned breach-lookup service adding the data as well, although site operator Troy Hunt might have to consider adding an option to search by name.
The best solution of all might be for Facebook to buy a copy of the data set, then notify each affected individual about the compromise. Facebook founder and CEO Mark Zuckerberg could probably pay the $600 price with pocket change.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.