Your phone number on Facebook may have been exposed: Here's how to check

James Cook
·3 min read
Facebook chief executive Mark Zuckerberg - AP
Facebook chief executive Mark Zuckerberg - AP

The leak of personal data of more than half a billion Facebook users may be more serious than thought because it contained private phone numbers that were hidden on profiles.

It comes after records for around 533 million Facebook users, including phone numbers belonging to more than 11.5 million UK residents, were dumped online on Saturday as part of a huge Facebook security breach.

It was previously believed the exposed phone numbers were ones that users had featured on their profiles.

However, Ashkan Soltani, the former chief technologist of the US Federal Trade Commission (FTC) wrote on Twitter that he has found a "second category of info" that has been breached.

“I found two different phone numbers entries for me in the [Facebook] breach,” he wrote. “I list only one [of] those phone numbers in my 'profile'.”

"Plenty of people use different, more sensitive numbers for account recovery purposes which they wouldn't make viewable to even friends."

This content is not available due to your privacy preferences.
Update your settings here to see it.

The leak of a private phone number does not hand hackers access to accounts but can help them discover which phone numbers they need to spoof in order to break through two factor authentication.

“This is a big deal if it wasn't just the public profile phone number but the account recovery [phone number],” Jason Kint, the head of the Digital Content Next trade association wrote online, “these two are not always the same and when they're not it's also frequently for sensitive/security reasons.”

Facebook users can check if their data was included in the breach by entering their email address or phone number into the haveibeenpwned.com website. Only 2.5m entries from the leak included email addresses, however.

Facebook data breach lookup guide
Facebook data breach lookup guide

The Irish Data Protection Commission (DPC) is reviewing the incident. "Facebook assures the DPC it is giving highest priority to providing firm answers to the DPC," it said in a blog post about the leak.

Facebook previously acknowledged that it used private phone numbers used for logging into the site for advertising and to help people find friends. It ended the practice in 2019 in connection with a $5bn (£3.6bn) settlement it made with the FTC.

Private phone numbers belonging to celebrities and other high-profile figures were allegedly included in the leak of data. No passwords were included in the leak.

A phone number listed as belonging to Facebook chief executive Mark Zuckerberg was included in the breach and was linked to an account on messaging app Signal, a rival to Facebook-owned WhatsApp.

This content is not available due to your privacy preferences.
Update your settings here to see it.

“This is old data that was previously reported on in 2019,” a Facebook spokesperson wrote in an email statement on Saturday. “We found and fixed this issue in August 2019.”

At the time, the company addressed a flaw in its technology that allowed the information to leak out. However, once such data escapes from Facebook’s network, the company has limited power to stop it from spreading online.

A Facebook spokesman did not respond to a request for comment.