A threat actor leaked 200,000 records on a hacker forum, claiming they contained the mobile phone numbers, email addresses, and other personal information of Facebook Marketplace users.
BleepingComputer verified some of the leaked data by matching the email addresses and phone numbers on random records within the sample data shared by IntelBroker, the threat actor who leaked the data online.
A Meta spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
IntelBroker claims this partial Facebook Marketplace database was stolen by someone using the ‘algoatson’ Discord handle after hacking the systems of a Meta contractor.
“In October 2023, a cyber criminal by the name of ‘algoatson’ on Discord, breached a contractor that manages cloud services for Facebook and stole its partial user database of 200,000 entries,” IntelBroker says.
The leaked database contains a wide variety of personally identifiable information (PII), including names, phone numbers, email addresses, Facebook IDs, and Facebook profile information.
Threat actors can use the email addresses leaked online in phishing attacks and the Facebook Marketplace users’ mobile numbers mobile phishing attacks.
The exposed mobile numbers and personal info can also be used in SIM swap attacks that would allow them to steal multi-factor authentication codes sent via SMS and hijack their targets’ accounts.
IntelBroker is known for the breach of DC Health Link, which led to a congressional hearing after the personal data of U.S. House of Representatives members and staff was leaked online.
Other cybersecurity incidents linked to IntelBroker are the sale of data stolen from Hewlett Packard Enterprise (HPE), an alleged breach of General Electric Aviation, and the breach of the Weee! grocery service.
The Facebook Marketplace data leak is not the first incident of this kind that Meta has experienced in recent years.
In November 2022, Meta was hit with a €265 million ($275.5 million) fine for failing to protect Facebook users’ personal information from scrapers after data linked to more than 533 million Facebook accounts was leaked on a hacker forum in April 2021.
The stolen data first surfaced in a hacking community in June 2020, and it contained information that could be scraped from public profiles and the affected accounts’ private mobile numbers.
533,313,128 Facebook users had their data leaked, with the exposed information including their mobile numbers, Facebook IDs, names, genders, locations, relationship statuses, occupations, dates of birth, and email addresses.
Almost every Facebook user record leaked in April 2021 included the users’ mobile phone numbers, Facebook IDs, and names, according to samples of the Facebook data seen by BleepingComputer at the time.
The April 2021 data leak also included the phone numbers for three of Facebook’s founders (i.e., Mark Zuckerberg, Chris Hughes, and Dustin Moskovitz).