Skip to Main Content

How to know if your phone number was leaked in massive Facebook data breach

The phone numbers and email addresses of 533 million Facebook users have been exposed in a data breach. Here’s how to find out if your data was leaked, and how to secure your Facebook account.


A vast Facebook leak that has made public the personal information of more than 500 million Facebook accounts might include your phone number.

The trove of data was revealed over the weekend, despite seemingly having come from a leak that happened in 2019. While Facebook said that the leak had been fixed, and the data has been available for some time, it is now readily available on the internet for free, allowing hackers to get it much more easily than they could before.

That means that users could be at risk of hacking attacks and other crime that uses that information to try and steal money or gain access to yet more personal information.

One of the most potent parts of the new trove of data is that it includes hundreds of millions of phone numbers. Such leaks often include email addresses, as well as other identifying information, but phone numbers are both unusual and allow for other kinds of attacks.

In that context, the website HaveIBeenPwned now includes that full list of phone numbers, allowing anyone to easily check whether their own has been caught up in the hack. The site has not tracked phone numbers before.

It will also search through email addresses as usual, allowing users to quickly check whether an email address has been caught up in the new Facebook leak – or any of the other tranches of data that it checks up on.

Troy Hunt, who runs the tool, had previously expressed concern about adding numbers to the tool, in part because it could be used maliciously to find people’s information, and in part because the data is so much less easy to parse than an email address. But he noted that when he asked his followers on Twitter, a poll showed that people were for adding them into the tool, by a ratio of two to one.

He also said that he had been encouraged to do so by a range of other tools that bear similarities to his own website, but did not have the same history or level of trust.

What do I do if my details were exposed in the Facebook data trove?

Attackers can use your Facebook-associated phone number or email address to, for example, encourage you to click on a malicious link to steal more details from you, or trick you into transferring money. You can’t change your number easily, so you should remain vigilant for attempts over the coming weeks.

They can also combine details to attempt identity theft, or use your email try to hack other accounts using easy-to-guess passwords.

With this in mind, if you have been exposed in the leak, or you use an easy-to-guess password, or one that is doubled up elsewhere, it’s a good idea to change your Facebook password. 

It is also advised to implement two factor authentication as an extra layer of protection as it will help keep threat actors from gaining entry to vulnerable or exposed accounts.

In order to activate this, go to your Facebook security settings and enable two factor authentication, ideally not through SMS as this can occasionally be used to an attacker’s advantage. Instead, try an authenticator app, or a physical security key.