Sarah Biren
Sarah Biren
April 15, 2021 ·  4 min read

Facebook Says It’s Your Fault That Hackers Got Half a Billion User Phone Numbers

By now, Facebook is no stranger to massive privacy breaches. Over half a billion users’ data was posted online in a low-level hacking forum. The company originally dismissed this hack, claiming this breach happened in 2019. Although the phone numbers, full names, locations, bios, birthdays, and email addresses of their users are still public. [1] But then Facebook avoided the blame, saying it was the users’ fault.

Facebook Blames the Hack on Its Users

This line of defense is an old card for Facebook. They used it back in 2016 for the Cambridge Analytica scandal. Then they tried to claim their security failure was just a breach of their terms of service. Facebook had given Cambridge Analytica the data for 87 million users for political ads — all without the users’ permission. [2]

Facebook’s product management director Mike Clark’s blog post about this new leak sounds similar to their response to Cambridge Analytica. 

“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Clark wrote. He said this “scraping” occurred through the feature to help users find their friends on the website using their contact list. But this left Facebook wide open for more hacking. 

“Effectively, the attacker created an address book with every phone number on the planet and then asked Facebook if his ’friends’ are on Facebook,” tweeted security expert Mikko Hypponen.

Clark doesn’t explain exactly when this break occurred or how many times. However, he does say that Facebook fixed the problem in August 2019. However, Inti De Ceukelaire, an ethical hacker from Belgium, warned Facebook about this opening for hackers in 2017. In his tweet, he added Facebook’s response to his concern, which dismissed his concern, essentially saying that if people don’t want to partake in this feature, they should set their “Who can look me up” setting to “Private.” [3]

The company also hasn’t commented on why users who deleted their accounts before 2018 still had their phone numbers leaked.

Read: Facebook Can Now Track What You Do Off of Facebook. Here’s How To Turn It Off.

Why Does Facebook Collect Users’ Date?

Facebook requires a phone number, among other personal information, to open an account. The company initially claimed it was for security reasons. As it turns out, the “security” was not for the benefit of the users. Facebook used this information to sell ads and target more users. According to the Federal Trade Commission (FTC), this is a breach of trust who deemed this blight worth a $5 million fine. But according to Facebook, if users don’t want their private information — information needed to set up an account — to be shared, they should change their settings. 

While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly,” Clark wrote. “In this case, updating the ‘How People Find and Contact You’ control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.

Facebook settings menus are not easy to navigate. But according to the $300 billion-dollar company, it’s up to the users to protect their own data.

The Danger of Leaked Data

Cybercriminals use leaked data to impersonate people or trick them into giving their login information, according to Alon Gal, the chief technology officer of the cybercrime intelligence firm Hudson Rock. “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts.” 

Gal said that although there isn’t much Facebook could do to help people after the hack, they should notify the affected users to be aware of frauds or scams. 

Individuals signing up to a reputable company like Facebook are trusting them with their data, and Facebook [is] supposed to treat the data with utmost respect,” Gal said. “Users having their personal information leaked is a huge breach of trust and should be handled accordingly.[4] 

Cybersecurity consultant Troy Hunt uploaded the database onto Have I Been Pwned. This website allows people to check the security of their data. For more information on how to check on your data, check out this post. People could also take advice from Mark Zuckerberg himself. He uses a secure messaging app called Signal. Unlike Messenger, it is not owned by Facebook.

Keep Reading: How to check if you’re part of the Facebook data breach


  1. Facebook says data from 530M users was obtained by scraping, not hack.CNET. Rae Hodge. April 7, 2021
  2. “Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens.” The New York Times. Kevin Granville. March 19, 2018.
  3. “Facebook Says It’s Your Fault That Hackers Got Half a Billion User Phone Numbers.Vice. David Gilbert. April 7, 2021.
  4. “533 million Facebook users’ phone numbers and personal data have been leaked online.Insider. Aaron Holmes. April 3, 2021.