Analysis of a trove of personal data leaked online thanks to lax cyber security and privacy policies implemented at social media giant Facebook has revealed Egypt, the US and Italy as the countries with the highest numbers of affected users.
The leak of data from 533 million accounts produced a total of 2,837,793,637 items of data, which researchers at privacy specialist Surfshark explored to produce its analysis. This averages out at five data points per user, and includes phone numbers, Facebook IDs, full names, locations, birth dates, biographies, and some email addresses.
The accounts of 44,833,547 users in Egypt were leaked, as were those of 35,677,377 Italians, 32,315,282 Americans and 28,804,686 Saudis. The other most affected countries are France, Turkey, Morocco, Colombia, Iraq and South Africa. The dataset includes data on 11,522,327 people in the UK.
Specifics of what exactly was leaked varies from victim to victim. For example, only 4.76% of the profiles had their email addresses exposed, but 89.01% had their mobile phone numbers leaked.
Surfshark’s analysis found the dataset also allows matching names and phone numbers with location data (exposed in 60.58% of cases) and employer names (exposed in 18.3% of cases), putting a great many victims at risk of spear-phishing attempts.
In a blog detailing the researcher’s findings, Surfshark’s Goddy Ray wrote: “This is a call for users to be more cautious of phishing attempts. Whether it’s by SMS, email or other means, always carefully check the sender, beware of any link and file attachments, look out for tell-tale grammar mistakes, and be suspicious of both the tone of urgency and offers that are too good to be true.”
The firm said it was important to note that such is the scale of the Facebook leak that an in-depth analysis is highly complex, so there is a high probability that some of the data contains false positives or discrepancies.
Facebook continues to rebuff calls to apologise for the incident, which occurred some time ago after malicious actors found a way to abuse a contact-finding feature to scrape user data from the website. The vulnerability was sealed soon after it was discovered.
The social media platform has said it does not intend to notify anybody who has had their data leaked as a result of its security lapse, because it is not confident that it has full visibility of which users it would need to contact.