Reported by privacy research company Privacy Affairs, the data found for sale doesn’t indicate that the seller actually broke into Facebook’s systems, nor that its data tied to any other data breach. Instead, Privacy Affairs said that the data was allegedly obtained by scraping publicly available data shared by Facebook users.
The fact that the data stolen and for sale is publicly available shouldn’t ease anyone’s fears: That data can still be used to compromise users’ security and privacy. In particular, the stolen data contains names, email addresses, locations, gender, phone numbers and Facebook User ID information. Each bit of that data could clue an attacker into password challenge answers, allow them to intercept one-time login codes, phish, send scam text messages and more.
While the potential for this particular set of data to be exploited may have lessened thanks to its removal from this particular forum, it’s unknown if it could end up posted elsewhere or how many buyers may have already purchased some of it. There are a total of nearly three billion people on Facebook, which means that data pertaining to up to half of them could be in the hands of bad actors.