Facebook 533M scraped records leak

On 3 April 2021, a dataset containing personal information on 533 million Facebook users across 106 countries was posted for free on a low-level hacking forum. Surfaced publicly by security researcher Alon Gal, the trove included phone numbers, Facebook IDs, full names, locations, birthdates, relationship statuses, and — for a subset — email addresses. It represented roughly 20% of Facebook's user base at the time.

What happened

The data was not stolen in a conventional intrusion. It was scraped by abusing Facebook's contact-importer feature, which was designed to help users find friends by uploading their phone contacts. By feeding the importer enormous lists of phone numbers and harvesting the matching profile data returned, attackers were able to associate millions of phone numbers with real Facebook accounts and their public-profile fields.

The scraping occurred before September 2019, when Facebook identified the flaw and patched the contact-importer behaviour. The dataset then circulated privately within criminal markets — at one point accessible through a paid Telegram lookup bot — before being dumped in full and for free in April 2021.

What was exposed

The records included, depending on the user:

Phone number (the central and most damaging field, since phone numbers are rarely changed and widely used for account recovery and SIM-swap targeting).
Facebook ID, full name, gender, and location/hometown.
Birthdate and relationship status.
Email address for a minority of records.

Notably, passwords and financial data were not part of the dataset.

Impact

533 million users exposed, including roughly 32 million U.S., 11 million U.K., and millions more across Europe, the Middle East, and Asia.
Because phone numbers are durable identifiers, the leak fueled smishing, phishing, and SIM-swap campaigns for years afterward.
Facebook declined to notify affected individuals, arguing the data was scraped rather than breached — a stance widely criticized.
In November 2022, Ireland's Data Protection Commission fined Meta €265 million (~$290 million) for failing to implement data-protection-by-design and -by-default measures under the GDPR.

Why it matters

The incident drew a sharp public line between "hacking" and "scraping" — and exposed how little that distinction matters to affected users. Whether data is exfiltrated through an intrusion or systematically pulled through an abused legitimate feature, the harm is identical once it is dumped publicly. The case established that enumerable lookup features are a breach surface in their own right, that platforms can be held liable under the GDPR for failing to design against bulk scraping, and that phone numbers — long treated as low-sensitivity — are in fact among the most durable and exploitable identifiers a platform can leak.

Timeline

2017-2018

Attackers abuse Facebook's contact-importer feature at scale, querying it with large sets of phone numbers to map them to user profiles.

January 1, 2019

Facebook identifies and patches the contact-importer vulnerability after becoming aware it was being exploited.

2019-2020

The scraped dataset circulates privately and is sold among cybercriminals; portions appear in a Telegram-based lookup bot.

April 3, 2021

The full dataset of 533 million records is posted for free on a low-level hacking forum, publicized by researcher Alon Gal.

April 9, 2021

Facebook states it will not individually notify affected users, characterizing the data as scraped rather than hacked.

November 28, 2022

Ireland's Data Protection Commission fines Meta €265 million for GDPR data-protection-by-design failures related to the scraping.

Sources

washingtonpost.comhttps://www.washingtonpost.com/business/2021/04/03/facebook-data-leak-insider/

npr.orghttps://www.npr.org/2021/04/09/986005820/after-data-breach-exposes-530-million-facebook-says-it-will-not-notify-users

technologyreview.comhttps://www.technologyreview.com/2021/04/07/1021892/facebook-data-leak/

theregister.comhttps://www.theregister.com/2021/04/05/facebook_data_dump_update/

Related incidents

Social engineeringResolvedMarch 17, 2018

Facebook–Cambridge Analytica data scandal

Political consultancy Cambridge Analytica improperly obtained the personal data of up to 87 million Facebook users via a personality-quiz app, exploiting Facebook's permissive third-party API to harvest friend networks and build voter-targeting profiles. The scandal triggered a record $5 billion FTC penalty.

Victim: Facebook
Loss: $5.00B
Records: 87.0M

Data breachResolvedAugust 16, 2024

National Public Data SSN breach

A breach of data broker National Public Data (Jerico Pictures) exposed a database of roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and addresses scraped from public and non-public sources, triggering a wave of lawsuits and the company's bankruptcy.

Victim: National Public Data (Jerico Pictures, Inc.)
Records: 2.90B

Data breachResolvedOctober 6, 2021

Twitch source-code and creator-payout leak

A server misconfiguration exposed Twitch's entire Git repository to an anonymous attacker, who leaked 125 GB of data — the full source code with commit history, internal tools, and three years of creator payout figures — as a torrent on 4chan.

Victim: Twitch (Amazon)

Data breachRansom paidMay 1, 2026

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim: Instructure (Canvas LMS)
Loss: $10.0M
Records: 275.0M