In April 2021, data from over 533 million Facebook users was published freely online — including millions of Australians. Unlike many breaches, this data wasn’t stolen by hacking: it was scraped from Facebook’s systems using a feature Facebook has since patched, then compiled and released publicly.

What Was Exposed?

  • Phone numbers (the most significant exposure)
  • Full names
  • Facebook user IDs
  • Birthdates
  • Locations
  • Email addresses (for some accounts)
  • Relationship status and employer information

The phone number exposure was particularly significant because many Australians use their mobile number as a backup for account recovery — connecting this breach to potential account takeovers across banking, email, and government services.

Am I Affected?

If you had a Facebook account before 2019, there’s a high probability your phone number was in this dataset — even if you had privacy settings enabled. The data was scraped by exploiting Facebook’s contact import feature.

Check if your email appears in breach databases →

You can also check your phone number specifically at haveibeenpwned.com/PhoneNumbers.

Why This Breach Is Still Relevant in 2024

The data was published in 2021 but has been widely redistributed. It now appears on multiple platforms and databases. Your phone number from this breach is likely still actively circulating.

This matters because:

  • SIM swap attackers use phone numbers from this breach
  • Scammers combine it with other Australian breach data (Optus, Medibank) for targeted attacks
  • The combination of name + phone + location enables convincing impersonation scams

What to Do

  1. Change your Facebook account recovery to an authenticator app — remove your phone number as a 2FA method if possible, or if you need SMS, make sure your carrier has SIM swap protection
  2. Review your Facebook privacy settings — limit who can look you up by phone number
  3. Contact your carrier about SIM swap PIN protection (Telstra, Optus, Vodafone all offer this)
  4. Be alert to scam calls that know your name and details — the Facebook data made targeted phishing extremely accessible

Facebook’s Response

Facebook (Meta) initially downplayed the breach, describing it as “old data.” The Irish Data Protection Commissioner fined Meta €265 million in 2022 for GDPR violations related to the scraping. No equivalent Australian enforcement action was taken.

Get a Full Privacy Picture

The Facebook breach is just one of many. Check all your exposure in one place: Free breach check →

For a full assessment and personalised action plan: DataGuard Personal Audit — $99 →