Facebook Data Breach
Facebook Contact Importer API Scrape (2019): 481 Million User Profiles Including Phone & DOB Exposed
Social networking platform owned by Meta.
Risk Interpretation
Severe risk due to breadth and linkage power. Exposure enables harassment, phishing, identity correlation, stalking, and highly detailed profiling of personal relationships and behavior.
Impact & Downstream Threats
The 2019 Facebook incident is widely described as a mass scraping exposure rather than a classic internal database intrusion. Meta said the data was scraped from profile information through abuse of the contact importer before September 2019 and that it changed the feature in 2019; HIBP says the dataset later circulated publicly in 2021 and included over 500 million users, with phone-number-to-identity linkage as the most valuable element. That made the breach especially useful for phishing, imp
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Employment-based social engineering using job and employer data
Threat Vectors
Breach Intelligence
Executive Summary
Facebook's contact importer feature was exploited by attackers who abused the tool to enumerate and scrape profile data at scale. The technique allowed them to link phone numbers to individual Facebook accounts, building a detailed dataset covering 481.7 million users across multiple countries. The scraped data was collected before September 2019, when Facebook altered the feature. The dataset later surfaced publicly on a cybercrime forum in 2021, substantially widening its exposure. The exposed records included names, phone numbers, dates of birth, email addresses, employers, genders, geographic locations, and relationship statuses. The combination of phone numbers with identity details is particularly harmful. It enables phishing, impersonation, SIM-swap-adjacent attacks, and highly targeted social engineering. Even without passwords or financial data, this field set is enough to build convincing fraudulent profiles of real people and to correlate their identities across other platforms and data sources. Facebook chose not to notify affected users individually, citing the age of the data and difficulty in identifying specific accounts. In November 2024, a German court ruled that users affected by the breach were entitled to compensation, marking a concrete legal consequence years after the exposure. People whose data was included remain at ongoing risk, as scraped datasets of this kind circulate indefinitely. Anyone who had a Facebook account active before 2019 should treat their phone number and associated profile details as potentially compromised and be alert to unsolicited calls, messages, or account recovery attempts using that information.
About Facebook
Facebook is the flagship social platform within Meta’s broader consumer ecosystem. It combines social networking, groups, messaging-adjacent interaction, marketplace activity, creator distribution, and advertising into a global platform built around identity, engagement, and large-scale behavioral targeting. �
Why They Hold Your Data
Large social-media ecosystems collect user identity, contact details, social graphs, messages, posts, location-linked activity, ad-targeting signals, and business or creator records across multiple services.
Recent Developments
More recently, Facebook has continued to evolve inside Meta’s AI-heavy product strategy. Recent official announcements show Meta adding AI features to Facebook products, including creator-growth tools, Marketplace assistance, and profile-related generative features, while Meta more broadly frames 2025 to 2026 as a period of AI-driven product and infrastructure expansion. �
Data Points Exposed
Exposure Categories
Canonical Fields
date_of_birth, email_address, employer, full_name, gender, geographic_locations, phone_number, relationship_status
Dark Web Verification
- Dataset containing ~481.7M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: facebook.com-2019;Facebook Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Facebook
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam