Published June 25, 2025 
read
Facebook data leak: what happened and how to safeguard your information
Since its launch, Facebook has been involved in numerous data breaches and privacy scandals. Despite the company’s tremendous resources to protect user information, it continues to face new incidents year after year. The result is nearly always the same: millions of compromised records that expose users to serious privacy risks.
As a Facebook user, how do you safeguard your personal data? While you can’t control the platform’s security practices, you can learn from its data breaches. Read on to see how the major Facebook data leak incidents unfolded and explore what you can do to protect your account and information.
Major Facebook data leaks in focus: 2025 and 2021
Recently, Facebook, just like some other social networks (such as LinkedIn), has been part of massive data breaches. Let’s look at the timeline of these events, Facebook’s reaction to them, and the regulators’ response reinforcing the need for stronger data protection measures.
May 2025: 1.2 billion Facebook records leaked via API scraping
In late May 2025, a post appeared on one of the dark web forums claiming that the data of 1.2 billion Facebook users had been scraped via the platform’s API (a set of rules software systems use to communicate with each other). This could be one of the largest Facebook-related data incidents to date.
The company objected, saying it was not a new claim but one disclosed and addressed years ago. Cybernews researchers investigated a sample consisting of 100,000 records from the published dataset and arrived at a conclusion that it contained real user data. That said, they were unsure if the hackers’ claim about collecting 1.2 billion records was entirely valid.
The verified data sample included:
- Full names
- Usernames and user IDs
- Email addresses
- Phone numbers
- Geolocation data
- Gender
- Birthdates
May 2025: 184 million login and password credentials exposed, including Facebook
In early May 2025, information security expert Jeremiah Fowler discovered a database of 184 million records, which was neither encrypted nor protected by a password. A limited sample from this dataset contained login and password credentials used for a variety of platforms and services, such as Facebook, Snapchat, Instagram, Paypal and more.
According to Fowler, the exposed data was collected via infostealer malware designed to steal credentials from browsers and apps. It is unclear how long the data had been accessible before he discovered it. Also, Fowler was unable to identify the owner of the dataset.
Facebook data breach 2024: a third-party internal database leaked
In early 2024, a text message routing company, YX International, leaked an internal database with two-factor authentication codes used by major platforms, including Facebook, Google, and TikTok. The exposed data may have included one-time passcodes and password reset links, though it’s unclear if any unauthorized access occurred. Since the breach stemmed from a third-party provider and there’s limited information about its direct impact on Facebook users, we won’t explore it further but simply remind every social media user that their data is permanently at risk.
April 2021: 533 million users exposed in a Facebook data leak
In April 2021, the information of over 533 million Facebook users was made available for free on a hacking forum, exposing full names, mobile phone numbers, IDs, biographies, locations, email addresses and birthdates. This leak is believed to be connected to the earlier breach reported in 2019, which exposed 419 million records across multiple regions due to a vulnerability in Facebook’s Contact Importer feature.
Although Facebook claimed to have addressed the vulnerability that same year, the data had already been scraped and later on appeared on dark web forums for sale. The scale of the leak caused a lot of concern among privacy and security experts.
To illustrate the impact, Troy Hunt, cybersecurity educator and founder of the HaveIBeeenPwned database, introduced phone number lookups alongside email searches, something he hadn’t planned to do until this breach. The feature was meant to help users check whether their numbers had been exposed in the Facebook data leak, and demand for it was enormous as phone numbers made up the bulk of the leaked dataset.
As a result of a comprehensive investigation, Ireland’s Data Protection Commission imposed a €265 million fine on Meta for breaches of the GDPR. Germany’s Federal Court of Justice also considered the incident a significant GDPR violation and ruled that the victims could seek compensation without proving specific damage.
The table below outlines a detailed timeline of the attack.
| Year | Event |
|---|---|
| 2018-2019 | Actors exploited a vulnerability in Facebook’s Contact Importer (a feature allowing users to find other people by phone number). |
| 2019 | Facebook noticed the incident and disabled the feature, but the data had already been stolen. |
| 2020 | The data started appearing in small batches on dark web forums and Telegram bots for sale. |
| January-April 2021 | Security researcher and CTO at Hudson Rock Alon Gal discovered and reported the leak. |
| April 2021 | Actors published the entire stolen dataset on a forum for free. |
| April 2021 | The story appeared in major media outlets, with Facebook saying the issue dated back to 2019 and had already been fixed. |
| April-May 2021 | The Irish Data Protection Commission (DPC) launched an investigation. |
| November 2022 | The DPC as well as Germany’s Federal Court imposed penalties on Facebook under the GDPR. |
Before 2021: a pattern of past Facebook user data exposures
The 2025 and 2021 incidents are far from the only Facebook cyber attacks and data exposures the platform has faced throughout its history.
2019–2020: Millions of user records exposed in scraping cases and data leaks
- December 2019 – March 2020: An unprotected database containing 267 million Facebook records (including user IDs, names and phone numbers) was discovered online by Comparitech and security researcher Bob Diachenko at the end of 2019. The team believes it was an illegal scraping event or an exploitation of the Facebook API. The same dataset reappeared on a new server in March 2020, this time with an additional 42 million records.
- April 2019: Security researchers discovered that third-party apps collected user data and stored it on unsecure servers — for example, Cultura Colectiva (540 million Facebook-related records exposed) and At the Pool (22,000 users affected).
- September 2019: The early scraping incident that exposed 419 million Facebook user records, such as phone numbers and Facebook IDs, via an unprotected database found online. It’s widely considered a precursor to the even larger 2021 Facebook data leak.
2018 Cambridge Analytica scandal: 87 million Facebook profiles misused for political targeting
In April 2010, Facebook launched the Open Graph platform allowing external developers to request access to users’ personal data. Cambridge academic Aleksandr Kogan created an app called thisisyourdigitallife, which collected data from about 300,000 users, and, through them, the personal information of 87 million others without their consent.
The scandal broke in 2018, when whistleblower Christopher Wylie revealed that the harvested data had been used to target US voters with personalized political ads made to influence their choices.
In 2019, the Federal Trade Commission fined Facebook $5 billion for violating consumers’ privacy by allowing third-party access to user data without proper consent. Facebook apologized but denied it was a data breach, claiming that Kogan accessed the data in a legitimate way but misused it. The company also agreed to develop new measures to boost transparency and hold executives accountable for privacy decisions.
2018 platform and API vulnerabilities
Throughout 2018, Facebook’s vulnerabilities were exploited by attackers multiple times, with some of the most significant events being:
- September 2018: A vulnerability in the “View as” feature enabled attackers to steal access tokens, compromising 50 million user accounts. An additional 40 million were logged out as a precaution.
- December 2018: a Photo API bug allowed access to unshared images of 6.8 million users.
What data was exposed in the massive 2021 and 2025 Facebook data leaks
Below, you’ll find a complete list of the data exposed in the 2021 and 2025 Facebook user data incidents—some of the largest to date, putting hundreds of millions of users at risk.
2021 scraping leak: Facebook user data from 2019 resurfaced
- Full names
- Geolocations
- Phone numbers
- Birthdates
- User IDs
- Email addresses
- Relationship statuses
- Bios
- Account creation dates
May 2025 scraping leak: Facebook user records exposed
- User IDs
- Full names
- Usernames
- Phone numbers
- Email addresses
- Geolocations
- Gender information
- Birthdates
May 2025 infostealer database leak: stolen Facebook login data found online
- Usernames
- Email addresses
- Passwords
- Associated URLs
- Credentials for multiple platforms and services
- Sensitive financial and health data
Why Facebook data leaks are as dangerous as hacks
Most of the above-mentioned Facebook data breaches might not qualify as full-scale traditional hacks. Rather, they were scraping events or misuse of features, as they involved the collection of publicly or semi-publicly available data. However, the line between the two is truly fine and risks are still tangible.
Public doesn’t mean safe
More often than not, the Facebook data leaks would expose datasets that were structured and tied to real people, making them a target for cyber crime.
The risk escalates when data brokers enter the picture. These companies compile and sell detailed personal profiles using information from public sources, marketing databases, and more. Their websites are easy to find and open to anyone. Once a fraudster obtains sensitive data from a dark web leak, they can use broker sites to piece together a more complete profile of you. This combination of leaked and brokered data makes it easier for criminals to succeed at a variety of attacks.
The risks: spam, targeted phishing, SIM-swapping, and account takeover
Here are some of the ways cyber criminals can exploit your exposed data — leaked through Facebook incidents, listed on data brokers, or both:
Spam
Both data brokers and Facebook leaks expose just enough personal data for criminals to create highly effective, targeted spam lists that are likely to bypass filters, because the stolen data belongs to real users.
Phishing and smishing
Fraudsters can come up with extremely realistic emails and texts, tricking users into thinking they are trustworthy.
SIM swap attacks
With such comprehensive data at hand, attackers can take over users’ phone numbers and transfer them to new SIM cards or gain access to other apps and services.
Credential stuffing
The stolen data enables cybercriminals to use the leaked credentials and emails in an attempt to log in to other accounts, as many people use the same passwords across multiple platforms.
How to check if your data was exposed
During the 2021 data leak, Facebook didn’t notify users, because it couldn’t identify who was affected and generally considered the leaked data to be publicly available information. This kind of neglect serves as a stark reminder for everyone to take the lead in protecting your sensitive information. A good first step? Check if your data has been compromised.
Use HaveIBeenPwned
Go to the HaveIBeenPwned website and enter your email address to see if it appeared in one of the Facebook data breaches.
Monitor for suspicious activity
Watch out for any suspicious activity on your Facebook or related accounts, such as password reset emails, login alerts or phishing messages.
Search yourself online
Review the web regularly to make sure information on you is as limited as possible. Here are some actionable tips on how to do this right:
- Search your full name, email address, phone number and username.
- Use quotation marks — as in [“Name Surname”] — for precise results.
- Look into the image and news tabs on the search results page.
- Perform your search across different search engines, not just Google.
How to protect your personal information going forward
Change your password and enable 2FA
Change your password right away, especially if you know your data has been exposed. Don’t use the same password you are using for other platforms. Consider tapping into a password manager to create a strong new password.
Go to Settings and privacy > Settings > Password and security > Two-factor authentication and choose an authenticator app. However, don’t use text message (SMS) codes if your phone number was exposed.
Adjust Facebook privacy settings
Go to Settings > Privacy and limit exposure of your data to a minimum — stick to the safest options, such as “Only me”, “No” and “Off.”
Watch for phishing and scams
Avoid interacting with any emails or texts pretending to be sent from Facebook, always double-check on Facebook directly, and reach out to support for help. Be careful when chatting to other people, especially strangers, but also friends, as their data may have been compromised, too.
You can find more useful tips on how to spot and avoid Facebook scams here.
Be careful with third-party apps connected to Facebook
Go to Settings and privacy > Settings > Apps and websites to remove apps you don’t use or trust from your account.
How Onerep helps protect your personal information
If your personal data has been exposed during a Facebook data leak, it can be exploited. Onerep reduces this risk and helps you restore your privacy by automatically removing your data from multiple data brokers and Google.
Onerep scans 210+ data broker sites to find where your personal information is on public display and removes it for you. This makes it difficult for potential fraudsters to bring pieces of your data together and compromise your accounts.
Once your information has been removed from data broker sites, Onerep doesn’t stop there. It continuously rescans those sites to make sure your data doesn’t reappear, helping you keep it safe over the long term.
FAQ
Was Facebook hacked in 2024?
Yes, the platform experienced at least two data leaks currently known to the public. The first breach exposed millions of 2FA codes used by multiple platforms, including Facebook. During the second breach, Facebook’s contractor responsible for managing cloud services stole a database containing 200,000 user records from Facebook Marketplace. The leak included phone numbers and email addresses.
What is the Facebook data breach?
The term “Facebook data breach” means a series of events that have happened since the platform’s launch where user data was exposed through hacking, scraping or misuse by third parties.
How do I know if my Facebook data was leaked?
To check if your Facebook data was leaked, you can use the HaveIBeenPwned service, look for suspicious Facebook activity on your account, or review information on you available online.
Can I remove my data from the internet?
Yes, you can use services like Onerep, which does automated, ongoing data removal for you, as opposed to one-off measures, which are often not enough to ensure uninterrupted protection of your privacy.
Mikalai is a Chief Technical Officer at Onerep. With a degree in Computer Science, he headed the developer team that automated the previously manual process of removing personal information from data brokers, making Onerep the industry’s first fully automated tool to bulk-remove unauthorized profiles from the internet.