Facebook 2019 Data Breach

Facebook Contact Importer API Scrape (2019): 481 Million User Profiles Including Phone & DOB Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Social EngineeringSocialDate of BirthEmail AddressEmployerFull NameGenderGeographic LocationPhone NumberRelationship Status
Low SeverityWebsite / service breach

Facebook Contact Importer API Scrape (2019): 481 Million User Profiles Including Phone & DOB Exposed

Social networking platform owned by Meta.

Verified by ObscureIQ Intelligence
23/100Breach Risk Index
5Data Value
25Market Recency
512dSince Breach

Breach Intelligence Summary

Entity: Facebook · Actor: Unknown · Sources: 6 references
Attack: Social Engineering
Profile: Company · Social media and digital advertising · Multi-platform social ecosystem · Global
Timeline: Breach (2019-08-01) · Indexed (Dec 01, 2024) · Year (2019)
Exposure: 481.7M records · 8 fields: Date of Birth, Email Address, Employer, Full Name, Gender, Geographic Location, Phone Number, Relationship Status
Status: Confirmed

Executive Summary

Facebook's contact importer feature was exploited by attackers who abused the tool to enumerate and scrape profile data at scale. The technique allowed them to link phone numbers to individual Facebook accounts, building a detailed dataset covering 481.7 million users across multiple countries. The scraped data was collected before September 2019, when Facebook altered the feature. The dataset later surfaced publicly on a cybercrime forum in 2021, substantially widening its exposure. The exposed records included names, phone numbers, dates of birth, email addresses, employers, genders, geographic locations, and relationship statuses. The combination of phone numbers with identity details is particularly harmful. It enables phishing, impersonation, SIM-swap-adjacent attacks, and highly targeted social engineering. Even without passwords or financial data, this field set is enough to build convincing fraudulent profiles of real people and to correlate their identities across other platforms and data sources. Facebook chose not to notify affected users individually, citing the age of the data and difficulty in identifying specific accounts. In November 2024, a German court ruled that users affected by the breach were entitled to compensation, marking a concrete legal consequence years after the exposure. People whose data was included remain at ongoing risk, as scraped datasets of this kind circulate indefinitely. Anyone who had a Facebook account active before 2019 should treat their phone number and associated profile details as potentially compromised and be alert to unsolicited calls, messages, or account recovery attempts using that information.

ObscureIQ assessment: Severe risk due to breadth and linkage power. Exposure enables harassment, phishing, identity correlation, stalking, and highly detailed profiling of personal relationships and behavior.

Breach Impact

The 2019 Facebook incident is widely described as a mass scraping exposure rather than a classic internal database intrusion. Meta said the data was scraped from profile information through abuse of the contact importer before September 2019 and that it changed the feature in 2019; HIBP says the dataset later circulated publicly in 2021 and included over 500 million users, with phone-number-to-identity linkage as the most valuable element. That made the breach especially useful for phishing, impersonation, account targeting, SIM-swap-adjacent abuse, and broader identity correlation at enormous scale. �

About Facebook

Facebook is the flagship social platform within Meta’s broader consumer ecosystem. It combines social networking, groups, messaging-adjacent interaction, marketplace activity, creator distribution, and advertising into a global platform built around identity, engagement, and large-scale behavioral targeting. �

Why They Hold Your Data

Large social-media ecosystems collect user identity, contact details, social graphs, messages, posts, location-linked activity, ad-targeting signals, and business or creator records across multiple services.

Recent Developments

More recently, Facebook has continued to evolve inside Meta’s AI-heavy product strategy. Recent official announcements show Meta adding AI features to Facebook products, including creator-growth tools, Marketplace assistance, and profile-related generative features, while Meta more broadly frames 2025 to 2026 as a period of AI-driven product and infrastructure expansion. �

Data Points Exposed

8 verified field types
Date of Birth High
Email Address
Employer
Full Name High
Gender
Geographic Location
Phone Number
Relationship Status

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity verification bypass using name + date of birth combination
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Employment-based social engineering using job and employer data
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Business Email Compromise seeding
  • Name-based social engineering
  • Profile enrichment
  • Pattern-of-life analysis & physical surveillance
  • SIM swapping, vishing & SMS phishing
  • Social engineering context

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Facebook breach?

Facebook's contact importer feature was exploited by attackers who abused the tool to enumerate and scrape profile data at scale. The technique allowed them to link phone numbers to individual Facebook accounts, building a detailed dataset covering 481.7 million users across multiple countries. The…

What data was exposed?

Verified fields include Date of Birth, Email Address, Employer, Full Name, Gender, Geographic Location, Phone Number, Relationship Status.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation