leaksear.ch has indexed a Facebook data leak containing 171,540,498 records from a scrape dated August 1, 2019, with phone numbers, names, Facebook IDs, location and country fields, dates of birth, profile URLs, locales, hometowns, genders, and some email addresses (leaksear.ch metadata). Public reporting tied the wider 500M-plus Facebook dataset to abuse of a contact-importer function that Facebook said it changed in 2019, and to a leak that circulated freely in April 2021 (about.fb.com, www.bleepingcomputer.com).
What happened
Meta said on April 6, 2021 that malicious actors did not hack Facebook's systems for this dataset, but scraped data from the platform before September 2019 using the contact importer, a feature that matched uploaded contact lists to Facebook users. Meta said it changed the feature in 2019 to prevent software from uploading large sets of phone numbers to discover matching profiles, and said the exposed information did not include financial information, health information, or passwords (about.fb.com).
Public reporting gives the wider leak a larger footprint than the leaksear.ch-indexed corpus. BleepingComputer reported about 533,313,128 Facebook users in a forum leak that was released for free on April 3, 2021, Business Insider reported more than 533 million users across 106 countries, and Have I Been Pwned lists 509.5 million affected accounts with an August 2019 breach date (www.bleepingcomputer.com, www.businessinsider.com, haveibeenpwned.com). WIRED later noted that Facebook's explanations left confusion about exactly which earlier scraping events and datasets overlapped, which is why this article treats the 171.5M leaksear.ch record count as the scoped indexed corpus rather than the full public universe of Facebook-scrape data (www.wired.com).
The incident also had regulatory consequences. Ireland's DPC announced on November 28, 2022 that it fined Meta Platforms Ireland €265 million after an inquiry into Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer processing between May 25, 2018 and September 2019, finding infringements of GDPR Article 25(1) and 25(2) (www.dataprotection.ie).
What data was exposed
The leaksear.ch metadata lists queryable fields for this leak as country, date of birth, email, name, phone, and username (leaksear.ch metadata). The same metadata describes exposed Facebook IDs, phone numbers, names, gender, location and country fields, dates of birth, profile URLs, locales, hometowns, and some email addresses (leaksear.ch metadata).
Stored context that may appear on records includes gender, hometown, locale, location, and profile URL; those are not the same as direct search pivots on the platform (leaksear.ch metadata). Public sources similarly emphasized that the wider Facebook leak's primary value was linking phone numbers to real identities, while only a smaller portion of the wider corpus contained email addresses (haveibeenpwned.com).
Why this matters
Even without passwords, the combination of a phone number, name, Facebook identifier, location, and date of birth can help attackers make phishing and smishing messages more convincing. BleepingComputer warned that mobile numbers and leaked profile details could be used for smishing and SIM-swap attempts, and WIRED noted that the bug helped connect phone numbers with public profile information (www.bleepingcomputer.com, www.wired.com). For individuals and security teams, the practical response is to treat unexpected texts, calls, and account-recovery prompts with extra scrutiny, especially where SMS is used for authentication. To check whether your data is in this leak, use leaksear.ch to search the available pivots for this dataset: phone, email, name, username, date of birth, or country (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, name, phone, and username.
Sources
- Have I Been Pwned: Facebook Data Breach
- Meta: The Facts on News Reports About Facebook Data
- BleepingComputer: 533 million Facebook users’ phone numbers leaked on hacker forum
- Business Insider: 533 million Facebook users' phone numbers and personal data have been leaked online
- WIRED: What Really Caused Facebook's 500M-User Data Leak?
- Data Protection Commission: Data Protection Commission announces decision in Facebook Data Scraping Inquiry