1011+ breaches tracked — check free
EmaiLeaked
travel_explore Email checker lock Password checker database Recent breaches menu_book Data breach guide article Blog group About
search Check my email now
Privacy Terms Contact Editorial standards Disclaimer

Facebook

Medium

In 2019, attackers exploited a vulnerability in a Facebook contact importer tool to scrape personal data from 533 million accounts across more than 100 countries. The information — including phone numbers, full names, email addresses, and dates of birth — was later published freely on an online forum in 2021, making it accessible to anyone without cost.

509.5M
Records exposed
2019
Year
8
Data types
Free
To check
Check if you were affected — free

Quick answer — was Facebook breached?

Yes. Facebook was breached in August 2019, exposing 509,458,528 records including dates of birth, email addresses, employers. This breach has been independently verified. If your email was involved, your data may still be at risk today. Check if you were affected.

What happened in the Facebook data breach?

In 2019, attackers exploited a vulnerability in a Facebook contact importer tool to scrape personal data from 533 million accounts across more than 100 countries. The information — including phone numbers, full names, email addresses, and dates of birth — was later published freely on an online forum in 2021, making it accessible to anyone without cost.

Phone numbers are particularly valuable to attackers because they enable SIM swapping, which can defeat SMS-based two-factor authentication even when a user's password has been changed. The combination of phone numbers, birth dates, and email addresses also provides the raw material for convincing impersonation scams.

Because the data was scraped rather than obtained through a direct database compromise, the incident was initially characterised as less severe. The free publication of the full dataset in 2021 fundamentally changed that assessment, putting 533 million people at risk from bad actors who had never previously had access to the information. Learn more about what a data breach means for you.

Why was the Facebook breach so dangerous?

Phone numbers are particularly valuable to attackers because they enable SIM swapping, which can defeat SMS-based two-factor authentication even when a user's password has been changed. The combination of phone numbers, birth dates, and email addresses also provides the raw material for convincing impersonation scams.

Don't wait to find out — check if your email was exposed in this breach.

What data was stolen in the Facebook breach?

Dates of birth Email addresses Employers Genders Geographic locations Names Phone numbers Relationship statuses

Dates of birth — used to verify identity for account takeover and fraud

Email addresses — used for phishing attacks and credential stuffing against your other accounts

Employers — may be combined with other breach data to build a profile for targeted attacks

Genders — may be combined with other breach data to build a profile for targeted attacks

Geographic locations — may be combined with other breach data to build a profile for targeted attacks

Names — used to build profiles and target you with personalised scams

Phone numbers — enables SIM-swapping attacks and targeted SMS phishing

Relationship statuses — reveals your approximate location and internet provider

Timeline of the Facebook breach

2019

Attackers exploit a flaw in Facebook's contact-importer feature to systematically scrape phone numbers, full names, and other profile data from hundreds of millions of accounts; Facebook patches the vulnerability but does not publicly disclose the scraping

January 2021

A portion of the scraped dataset begins circulating privately and is offered for sale through a Telegram bot

April 3, 2021

The full 533 million record dataset is published freely on a criminal forum — no payment required; any actor can download it

April 6, 2021

Facebook acknowledges the data is genuine but characterises it as "old data" from a 2019 vulnerability that has since been patched, and declines to directly notify affected users

April 2021

Ireland's Data Protection Commission opens a formal investigation; the incident draws regulatory attention across multiple jurisdictions

Is the Facebook breach still dangerous in 2026?

Yes. Stolen data from the Facebook breach remains dangerous years after the incident. Attackers routinely compile data from multiple breaches to build complete profiles, and credentials from 2019 are still actively used in automated attacks today.

Personal information like email addresses, phone numbers, and dates of birth does not expire. Even if you changed your Facebook password, the other exposed data can be combined with information from other breaches to target you. Learn how long stolen data stays dangerous.

What to do if your email was in the Facebook breach

1

Change your Facebook password immediately

Log into Facebook and change your password to something strong and unique — one you have never used anywhere else.

2

Change any account sharing that password

If you reused this password elsewhere, change it on every affected account. Attackers test stolen credentials against hundreds of popular sites within hours.

3

Enable two-factor authentication

Turn on 2FA on Facebook and every important account. Even if your password is known, attackers cannot access the account without the second factor.

4

Check your other accounts for this breach

Run a full email scan to see every breach your address appears in — not just this one.

Check all my breaches — free

Frequently asked about the Facebook breach

What data was actually exposed in the Facebook 533 million record dataset?
The dataset contained phone numbers for the majority of records, alongside full names, Facebook user IDs, dates of birth, location data, and email addresses for a smaller subset. Passwords were not included — this was scraped profile information, not a database breach.
Why are exposed phone numbers so dangerous?
Phone numbers tied to your name and email address give attackers the building blocks for SIM-swap attacks — where a criminal convinces a mobile carrier to transfer your phone number to their device. This lets them receive SMS authentication codes, bypass two-factor authentication, and take over accounts on banking, email, and social media platforms even after password changes.
Did Facebook notify the 533 million affected users?
No. Facebook declined to directly notify affected individuals, stating that the data was old and from a patched vulnerability. Ireland's Data Protection Commission, which serves as the lead EU regulator for Facebook, opened a formal investigation into this decision. Many privacy advocates considered the lack of direct notification a significant failure.
I changed my Facebook password after 2021 — does that protect me?
Changing your password does not help here — passwords were not part of the exposed data. The real risk is the exposure of your phone number, which remains permanently linked to your identity. If your phone number appeared in the dataset, that information cannot be changed and will persist in criminal databases indefinitely. Review the services where you use SMS-based two-factor authentication.

How this breach page is reviewed

Breach pages are built from structured breach records and reviewed for practical risk guidance by EmailLeaked. Risk labels reflect exposed data types and are intended to help readers prioritise action.

Was your email in this breach?

Check if your email appeared in the Facebook breach and 1010+ other known breaches — free, instant, no signup.

Check my email — free

No signup · Under 2 seconds · Never stored

Was my email hacked?

Check if your email is compromised in seconds. Free, private, no signup. Scan millions of breach records across 1011+ known breaches.

Check my email now — it's free

No signup required · Results in under 5 seconds · Your data is never stored