Facebook data leak: Have I Been Pwned allows users to see if their details have been exposed – but is it safe?
and live on Freeview channel 276
A new online tool allows social media users to determine whether their personal details were compromised by a recent Facebook data breach.
Have I Been Pwned? (HIBP) gives internet users the opportunity to check whether their phone numbers or email addresses were exposed in that leak, and a large number of other online data breaches.
The private credentials of over 530 million people worldwide were affected when a database containing the details leaked online.
Facebook says the details combed through by the online tool are from an “old” breach that took place in 2019 and has since been rectified, but a number of privacy watchdogs have launched investigations.
Here is everything you need to know about it.
The social network says a 2019 data leak was "found and fixed" more than 18 months ago.
The breach was not widely known about at the time, and it’s not even clear if such a breach is the reason behind the abundance of personal details being made available online, appearing on a hacking forum where the database of affected accounts is available for free.
“Facebook is yet to put out a clear position on this,” said Troy Hunt, the security expert who runs HIBP.
“They've alluded to a 2019 incident being the root cause, but that doesn't go far enough to explain the data in circulation,” he told the BBC. “There's a vacuum of information right now, and that vacuum is being filled with a lot of speculation.”
Ireland's Data Protection Commission said it was working with the tech firm to establish if “the dataset referred to is indeed the same as that reported in 2019”.
How many accounts are affected?
Whether fixed or not, the 2019 breach will be worrying to many users, with over 530 million people affected across more than 100 countries worldwide according to researchers.
In the UK, it is estimated that 11 million Facebook account holders became victims of the leak.
It’s also alleged that Facebook founder Mark Zuckerberg was one of the many millions of people whose personal phone numbers were leaked online.
"This is the number associated with his account from the recent Facebook leak," security expert Dave Walker tweeted in a post which revealed Zuckerberg is also a member of Signal, an encrypted messaging service, and a direct competitor to the Facebook-owned Whatsapp.
The data leak is not thought to include the full account details of those affected, but 500 million phone numbers were compromised, alongside “a few million email addresses”.
That’s according to Hunt, who said including phone numbers in searches through the tool previously “didn't make sense for a bunch of reasons”, but the Facebook leak “completely turned all my reasons” for not doing so “on its head”.
How does it work and is it safe?
The tool is about as simplistic and user-friendly as you can imagine.
Simply enter the phone number or email address you want to check, and HIBP will comb through its database to see if your details are available as a result of online data leaks of the past.
It doesn’t just include major leaks from the likes of Facebook, but smaller breaches from under-the-radar sites and services that also ask users to give up their private details.
As to whether you should trust the tool not to be harvesting email addresses of its own for nefarious gain, Hunt says there is no way to prove to anxious users that the site isn’t, but “it's not.”
"The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach," he says. “As with any website, if you're concerned about the intent or security, don't use it.”
I haven’t been ‘pwned’, so can I carry on?
Though HIBP aims to keep an up to date database of breaches with as much data as possible, it contains “but a small subset of all the records that have been breached over the years”, according to its FAQs page.
"Many breaches never result in the public release of data and indeed many breaches even go entirely undetected,” it says.
"’Absence of evidence is not evidence of absence’ or in other words, just because your email address wasn't found here doesn't mean that it hasn't been compromised in another breach."