Full Report
Introduction “533 million Facebook users’ phone numbers leaked” was one of the highlighted titles that flooded many social networks’ pages. The leak that was initially for sale in 2020 has more recently been released for free on a hacker forum containing mobile numbers, and a bunch of other related information. This news gave birth to websites like https://haveibeenzucked.com, where you could check if the Facebook data leak contained your data. (https://haveibeenpwned.com allows you to check it now as well).
Analysis Summary
# Incident Report: Massive Facebook User Data Leak and Subsequent Exploitation Research
## Executive Summary
A massive dataset containing personal information, including phone numbers, for 533 million Facebook users, initially leaked in 2020, was later released publicly for free on a hacker forum. While the initial compromise occurred in 2020, the public release of the data in early 2022 highlighted the enduring risk, spurring the creation of data-checking websites. The subsequent analysis of this leaked data focused on the potential for follow-on attacks, such as social engineering, SMS re-routing, SIM swapping, and the advanced SIM Hijacking vulnerability.
## Incident Details
- Discovery Date: Initial leak surfaced around 2020; public free release documented around February 2022.
- Incident Date: Initial data scraping/leak occurred sometime prior to 2020.
- Affected Organization: Facebook (Meta Platforms).
- Sector: Technology/Social Media.
- Geography: Global (affecting users worldwide).
## Timeline of Events
### Initial Access
- Date/Time: Prior to 2020 (Initial Leak).
- Vector: Data scraping/vulnerability exploitation against Facebook infrastructure (specific vector not detailed in the provided context, but implied by the scale of the leak).
- Details: A large volume of user data, including mobile numbers, was compromised and became available for sale in 2020.
### Lateral Movement
- Not explicitly detailed for the initial Facebook breach itself, but the *released* data acts as a springboard for subsequent attacker movement against individual users.
### Data Exfiltration/Impact
- Date/Time: 2020 (initial exfiltration); February 2022 (data released freely).
- Details: Mobile numbers and "a bunch of other related information" for 533 million users were exfiltrated.
### Detection & Response
- Detection: The leak was detected when data was first put up for sale in 2020 and again when it was released for free in 2022.
- Response actions taken: Following the free release, third-party verification websites (e.g., `haveibeenzucked.com`, `haveibeenpwned.com`) were created to allow users to check if their data was compromised. Carriers (AT&T, Verizon, T-Mobile) and the Sakari platform mitigated specific SMS vulnerabilities noted during follow-on analysis.
## Attack Methodology
The provided article focuses less on the initial Facebook breach technique and more on the **Follow-on Attack Vectors** enabled by possessing the phone numbers:
- Initial Access: Social Engineering (via phone/SMS), exploiting third-party vendor vulnerabilities (Sakari SMS platform), SIM Swap attacks, and SIM Hijacking (using crafted SMS Class 0 commands).
- Persistence: Not applicable to the data leak itself, but relevant in ongoing SIM swap fraud.
- Privilege Escalation: Not applicable to the data leak itself.
- Defense Evasion: Spoofing sender numbers during social engineering attacks.
- Credential Access: SIM Swap can lead to the acquisition of sensitive accounts via MFA interception.
- Discovery: Analysis of leaked data to profile targets for customized social engineering.
- Lateral Movement: Not applicable to the data leak itself.
- Collection: Malicious SMS Class 0/1/2/3 messages used to trigger phone logic manipulation (SIM Hijacking).
- Exfiltration: N/A (The data was already exfiltrated).
- Impact: Facilitating scams, stalking, unauthorized SMS reading (via vendor bugs), and potential account takeover.
## Impact Assessment
- Financial: Not quantified for the data leak, but the availability of numbers enables financial fraud via follow-on SIM swapping.
- Data Breach: Mobile phone numbers, and "a bunch of other related information" (implied PII) for 533 million users.
- Operational: No direct operational impact on Facebook was detailed, but high risk to user security.
- Reputational: Significant negative publicity for Facebook regarding user data protection.
## Indicators of Compromise
*Note: Indicators relate primarily to the *follow-on attack techniques* researchers tested post-leak.*
- Network indicators: Defanged URLs/Domains mentioned in research context include (hypothetical/research targets): `sakari.io`
- File indicators: Crafted SMS PDU sequences (e.g., specific TP-DCS values like `10` for Class 0, `11` for Class 1).
- Behavioral indicators: Receiving unsolicited SMS messages crafted to trigger SIM card applications (SIM Hijacking); calls/SMS leveraging spoofed numbers for social engineering.
## Response Actions
- Response Actions (General User/Public): Creation of data checking portals (`haveibeenzucked.com`, `haveibeenpwned.com`).
- Response Actions (Vendor Mitigation): Sakari platform implemented multi-factor authentication/verification. Major carriers (AT&T, Verizon, T-Mobile) mitigated the specific SMS re-routing loophole exploited previously.
- Response Actions (SIM Hijacking Research): Researchers explored using specific SMS Classes (Class 0, 1, 2, 3) and PDU settings to test for SIM hijacking vulnerabilities.
## Lessons Learned
- Data aggregation significantly raises the risk profile for individuals, providing a foundation for advanced attacks even if primary credentials are not leaked.
- Third-party platforms handling SMS services (like Sakari) represent a weak link if they lack robust authentication, potentially allowing mass interception of user communications.
- Older vulnerabilities, such as SIM Hijacking (announced in 2019), remain relevant and can be highly dangerous when combined with widely available PII like phone numbers.
## Recommendations
- **For Organizations (like Facebook):** Enhance internal data minimization policies and conduct regular, deep auditing of systems capable of exposing large volumes of PII/phone numbers.
- **For Users:** Be cautious of any unexpected SMS or calls following a major data leak, especially those referencing personal details. Implement strong MFA not reliant solely on SMS whenever possible.
- **For Carriers/Vendors:** Continuously monitor and patch vulnerabilities in messaging gateways and authentication mechanisms that could allow unauthorized access to users' SMS traffic (e.g., SIM Swap procedures, vendor platform security).