Data from over half a billion Facebook users was leaked online, potentially exposing personal information such as phone numbers and email addresses to hackers.

Alon Gal, the chief technology officer of cybercrime intelligence firm Hudson Rock, revealed the data leak this past weekend, saying via Twitter “that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.”

Some of the leaked information included Facebook IDs, location information, full names, birth dates, email addresses, account creation dates, relationship status, and bios. Gal said that it’s almost certain hackers will use the leaked data for online scams, including “social engineering” attacks. In such attacks, a hacker could theoretically use leaked data like a phone number to build trust with users, eventually persuading them to reveal more significant information like a Social Security number.

The data leak is another major blow to Facebook’s reputation in data privacy. In 2019, a security researcher revealed that the data of 267 million Facebook users was exposed online. In 2018, Facebook CEO Mark Zuckerberg was grilled by Congress over Facebook’s role in the Cambridge Analytica scandal, in which a political consulting firm accessed the personal data of nearly 87 million Facebook users.

Here’s what you need to know about the massive data leak and how to safeguard yourself from hackers.

How was the data leaked?

Facebook acknowledged the data leak earlier this week in a blog post, saying that bad actors obtained the data by exploiting a feature in the company’s contact importer tool. People use the tool to scan phone numbers and contact information from their smartphones so they can connect with them on Facebook. 

But a flaw in Facebook’s contact importer tool made it possible for bad actors to see “the phone number linked to every Facebook account,” Gal said. As security researcher Mikko Hypponen pointed out on Twitter, attackers exploited the contact importer flaw to create “an address book with every phone number on the planet and then asked Facebook if his ‘friends’ are on Facebook.”

Facebook said it fixed the contact importer flaw in 2019 after it had learned hackers were exploiting it. The company said that it’s “important” to note that bad actors did not “hack” Facebook’s systems, such as by injecting malicious code that would weaken the company’s security defenses. Instead, the company said, bad actors “scraped” the data from its service, a semantic distinction that critics allege is the company’s attempt to downplay the severity of the data leak. 

How to know if you were impacted

People can visit the website Have I Been Pwned (HIBP), created by security researcher Troy Hunt, to see if their emails or phone numbers were exposed in the data leak. 

Facebook did not say whether it would notify users whose personal data was leaked. 

How to protect your data

People who were impacted by the data leak should update their passwords. Facebook said that it’s “working to get this data set taken down,” but it’s unclear how the company would do so since the criminals who scraped the data have already sold it to others, security researcher Gal noted.

Facebook also said that people should enable two-factor authentication on their accounts in order to access them, as a way to protect themselves. 

Hunt, who operates HIBP, recommends that people use a security service like 1Password to help manage multiple, strong passwords across different apps.