Massive Facebook Data Leak: 1.2 Billion User Records Allegedly Scraped, Hacker Claims
In a startling claim, a hacker has alleged that data from 1.2 billion Facebook users was scraped by exploiting one of the platform’s APIs.
prativad 
In a startling claim, a hacker has alleged that data from 1.2 billion Facebook users was scraped by exploiting one of the platform’s APIs. The compromised data was reportedly posted on a well-known data leak forum. While Facebook’s parent company, Meta, hasn’t outright denied the breach, it responded with a brief statement referencing an old blog post about scraping.
The attacker insists the leaked information isn’t a collection of previously leaked records, but an entirely new dataset. If verified, this could be one of the largest Facebook data breaches in history.
Meta responded to Cybernews with a short note and a link to a four-year-old article titled “How we combat scraping.” A Meta spokesperson said, “This is not a new claim. We disclosed this years ago and have taken steps to prevent similar incidents since.”
Despite Meta’s statement, the Cybernews research team analyzed a sample of 100,000 Facebook user records included in the forum post and confirmed the data appears to be authentic. The sample includes:
-
User IDs
-
Full names
-
Email addresses
-
Usernames
-
Phone numbers
-
Locations
-
Birthdates
-
Genders
Researchers advise caution in accepting the full claim without confirmation, noting that this is only the second time these attackers have posted Facebook data. It's possible that they initially scraped a smaller batch and then expanded it over time to reach the claimed 1.2 billion records.
If proven true, this incident would mark yet another massive scrape of Facebook user data, raising renewed concerns about how Meta safeguards user privacy.
The Cybernews team stated: “These recurring incidents show a pattern of reactive, rather than proactive, security measures. Publicly visible data may still be sensitive, and the lack of stronger safeguards continues to erode user trust. This leaves millions vulnerable to phishing, scams, identity theft, and long-term privacy risks.”
A dataset of this scale could be a goldmine for cybercriminals. It could enable automated attacks using bots to target every single user in the list. Since the dataset is linked to actual Facebook accounts, hackers can easily craft Facebook-specific phishing schemes.
APIs—essential tools for modern digital services—are often exploited by malicious actors for unauthorized data collection. Earlier this year, attackers also targeted APIs from companies like Shopify, GoDaddy, Wix, and OpenAI, often aiming to extract financial or personal information.
Data scraping is not a new issue for Facebook. In fact, last year Meta admitted to scraping publicly available Facebook and Instagram data to train its AI assistant.
Back in 2021, another major breach exposed the phone numbers and locations of over 500 million Facebook users, leading to a €265 million ($266 million) fine from the Irish Data Protection Commission (DPC), the EU’s top data privacy regulator.
Update (May 22, 06:10 a.m. GMT): Meta has issued a response referring back to its previous disclosures on scraping.
