New Zealanders may be unaffected by a data breach of about 533 million Facebook accounts.

A historical vulnerability exposing personal information came to light over the weekend when the data was posted on a popular hacking forum for free, Business Insider reported.

Various types of information such as phone numbers, names, birthdays, Facebook IDs, and email addresses are viewable, though Kiwis may have dodged a bullet.

In a published list of more than 100 affected countries, New Zealand is not named.

“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” a Facebook company spokesperson said.

In a blog post, Facebook product management director Mike Clark made a point of stressing the data was scraped from Facebook, and not hacked. 

Despite the exposed data being about two years old, the evergreen nature of social media information means millions of people’s private information is potentially compromised.

Many people do not frequently change password or phone number information, meaning the data could still be useful to malicious actors.

Netsafe chief executive Martin Cocker told BusinessDesk he understood the data breach affected Facebook users from over a hundred countries, excluding New Zealand.

“It'd be surprising if a breach that was what a quarter of Facebook's users didn't catch a few New Zealanders,” he said, despite the apparent good fortune for Kiwis.  

The list of affected countries was tweeted by cybersecurity company Hudson Rock CTO Alon Gal in January. Gal then noticed on April 4 that the data had been posted for free on a hacking forum and retweeted the information, going viral in the process.

“It used to be the case that the stronger your password, the less chance you’d get breached because people were guessing them or brute-forcing them by running systems that go through and try multiple combinations,” Cocker said.

“Now, it’s far more common to take a stolen data set, grab the email address and password, and try them on other sites. Because people use the same email and password in multiple places, you have success breaching other sites using those same credentials.”

More than seven million Australian accounts are said to have been compromised, with over 11m and 32m respectively in the UK and US.

Safety first

The posting of the historic data for free is notable as it may contain phone numbers, a data point not compulsory to add to a Facebook profile, but one that millions of people do.

Cocker advised New Zealanders to use the trusted website Have I Been Pwned to see if their data has been recorded by the breach.

Have I Been Pwned (‘pwned’ being internet-speak for being ‘owned’ or humiliated) is a trusted online tool that tracks leaked data. You enter your email address or phone number   allegedly securely and it tells you which services you are registered with, if any, have been compromised.

The site’s creator Troy Hunt announced on Tuesday that phone numbers affected by the Facebook breach are now searchable on the service.

Even though New Zealand Facebook accounts do not appear to be part of the data breach, Cocker advises checking to be 100% sure.

He recommended using a password manager, software that securely stores personal credentials for multiple website logins. It means you can use completely different passwords for all services without having to remember them all.

* For what it’s worth, this writer pays for and uses 1Password across multiple devices. As well as storing credentials behind one master password, the password manager also auto-generates near-unguessable passwords for added security.