Kaspars Grinvalds - stock.adobe.

Egypt, Italy and US most affected in Facebook leak

Researchers at VPN firm Surfshark have been analysing data on 533 million people leaked from Facebook

Analysis of a trove of personal data leaked online thanks to lax cyber security and privacy policies implemented at social media giant Facebook has revealed Egypt, the US and Italy as the countries with the highest numbers of affected users.

The leak of data from 533 million accounts produced a total of 2,837,793,637 items of data, which researchers at privacy specialist Surfshark explored to produce its analysis. This averages out at five data points per user, and includes phone numbers, Facebook IDs, full names, locations, birth dates, biographies, and some email addresses.

The accounts of 44,833,547 users in Egypt were leaked, as were those of 35,677,377 Italians, 32,315,282 Americans and 28,804,686 Saudis. The other most affected countries are France, Turkey, Morocco, Colombia, Iraq and South Africa. The dataset includes data on 11,522,327 people in the UK.

Specifics of what exactly was leaked varies from victim to victim. For example, only 4.76% of the profiles had their email addresses exposed, but 89.01% had their mobile phone numbers leaked.

Surfshark’s analysis found the dataset also allows matching names and phone numbers with location data (exposed in 60.58% of cases) and employer names (exposed in 18.3% of cases), putting a great many victims at risk of spear-phishing attempts.

In a blog detailing the researcher’s findings, Surfshark’s Goddy Ray wrote: “This is a call for users to be more cautious of phishing attempts. Whether it’s by SMS, email or other means, always carefully check the sender, beware of any link and file attachments, look out for tell-tale grammar mistakes, and be suspicious of both the tone of urgency and offers that are too good to be true.”

The firm said it was important to note that such is the scale of the Facebook leak that an in-depth analysis is highly complex, so there is a high probability that some of the data contains false positives or discrepancies.

Facebook continues to rebuff calls to apologise for the incident, which occurred some time ago after malicious actors found a way to abuse a contact-finding feature to scrape user data from the website. The vulnerability was sealed soon after it was discovered.

The social media platform has said it does not intend to notify anybody who has had their data leaked as a result of its security lapse, because it is not confident that it has full visibility of which users it would need to contact.

Read more about the Facebook leak

  • Regulators may be unable to do much about leaked data on 533 million Facebook users, as it seems to have been stolen before GDPR came into force.
  • Facebook gives its side of the story as data on millions of its users leaks, but is yet to apologise for security lapses that put half a billion people at risk of compromise.

Read more on Data breach incident management and recovery

Data Center
Data Management