A massive database containing 1.2 billion user records was allegedly scraped from Facebook
by exploiting one of the platform’s application programming interfaces (APIs), according to claims made by attackers.
The extensive dataset was shared on a popular data leak forum, with the attackers stating that the records are not a collection of old data but represent a completely new set of information. If verified, this would be one of the largest data scrapes associated with Facebook. The attackers claim the database contains:
- User IDs
- Names
- Email addresses
- Usernames
- Phone numbers
- Locations
- Birthdays
- Genders
Although the claims are significant, researchers urge skepticism regarding the authenticity of the 1.2 billion Facebook user records. Notably, this is only the second post by these attackers.
“Another post from the same group included data allegedly scraped from Facebook, but the volume was much smaller. It's possible the attackers initially released a small portion and then continued scraping to reach the current scale,” researchers explained.
If proven accurate, this would be yet another large-scale incident where user data from Facebook was scraped. Analysts suggest this highlight concerns about Facebook's approach to user data protection. “There seems to be a trend of reactive responses to breaches instead of proactive measures to secure publicly accessible yet sensitive data. The lack of robust protections and transparency reduces user trust and exposes millions to phishing, scams, identity theft, and long-term privacy risks,” researchers said.
A database of this size could be highly valuable to cybercriminals, who may automate attacks and deploy bots to target users with minimal effort. Since the email addresses are tied to Facebook accounts, attackers can use them in phishing scams impersonating Facebook.
API exploitation is a common method among threat actors. Earlier this year, APIs of Shopify, GoDaddy, Wix, and OpenAI were targeted. Financially motivated attackers often use similar techniques to access cryptocurrency wallets. While APIs are essential for enabling different services to interact, they can also be misused to extract large volumes of data beyond their intended scope.
Data scraping from Facebook is not new. For instance, Meta previously confirmed it collected public Facebook and Instagram data to train its AI virtual assistant.
In 2021, another data leak exposed information such as phone numbers and locations of over 500 million Facebook users. That breach led to a €265 million ($266 million) fine from the Irish Data Protection Commission, the European Union's top data privacy authority.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
