In 2019, attackers exploited a vulnerability in a Facebook contact importer tool to scrape personal data from 533 million accounts across more than 100 countries. The information — including phone numbers, full names, email addresses, and dates of birth — was later published freely on an online forum in 2021, making it accessible to anyone without cost.
Quick answer — was Facebook breached?
Yes. Facebook was breached in August 2019, exposing 509,458,528 records including dates of birth, email addresses, employers. This breach has been independently verified. If your email was involved, your data may still be at risk today. Check if you were affected.
What happened in the Facebook data breach?
In 2019, attackers exploited a vulnerability in a Facebook contact importer tool to scrape personal data from 533 million accounts across more than 100 countries. The information — including phone numbers, full names, email addresses, and dates of birth — was later published freely on an online forum in 2021, making it accessible to anyone without cost.
Phone numbers are particularly valuable to attackers because they enable SIM swapping, which can defeat SMS-based two-factor authentication even when a user's password has been changed. The combination of phone numbers, birth dates, and email addresses also provides the raw material for convincing impersonation scams.
Because the data was scraped rather than obtained through a direct database compromise, the incident was initially characterised as less severe. The free publication of the full dataset in 2021 fundamentally changed that assessment, putting 533 million people at risk from bad actors who had never previously had access to the information. Learn more about what a data breach means for you.
Why was the Facebook breach so dangerous?
Phone numbers are particularly valuable to attackers because they enable SIM swapping, which can defeat SMS-based two-factor authentication even when a user's password has been changed. The combination of phone numbers, birth dates, and email addresses also provides the raw material for convincing impersonation scams.
Don't wait to find out — check if your email was exposed in this breach.
What data was stolen in the Facebook breach?
Dates of birth — used to verify identity for account takeover and fraud
Email addresses — used for phishing attacks and credential stuffing against your other accounts
Employers — may be combined with other breach data to build a profile for targeted attacks
Genders — may be combined with other breach data to build a profile for targeted attacks
Geographic locations — may be combined with other breach data to build a profile for targeted attacks
Names — used to build profiles and target you with personalised scams
Phone numbers — enables SIM-swapping attacks and targeted SMS phishing
Relationship statuses — reveals your approximate location and internet provider
Timeline of the Facebook breach
2019
Attackers exploit a flaw in Facebook's contact-importer feature to systematically scrape phone numbers, full names, and other profile data from hundreds of millions of accounts; Facebook patches the vulnerability but does not publicly disclose the scraping
January 2021
A portion of the scraped dataset begins circulating privately and is offered for sale through a Telegram bot
April 3, 2021
The full 533 million record dataset is published freely on a criminal forum — no payment required; any actor can download it
April 6, 2021
Facebook acknowledges the data is genuine but characterises it as "old data" from a 2019 vulnerability that has since been patched, and declines to directly notify affected users
April 2021
Ireland's Data Protection Commission opens a formal investigation; the incident draws regulatory attention across multiple jurisdictions
Is the Facebook breach still dangerous in 2026?
Yes. Stolen data from the Facebook breach remains dangerous years after the incident. Attackers routinely compile data from multiple breaches to build complete profiles, and credentials from 2019 are still actively used in automated attacks today.
Personal information like email addresses, phone numbers, and dates of birth does not expire. Even if you changed your Facebook password, the other exposed data can be combined with information from other breaches to target you. Learn how long stolen data stays dangerous.
What to do if your email was in the Facebook breach
Change your Facebook password immediately
Log into Facebook and change your password to something strong and unique — one you have never used anywhere else.
Change any account sharing that password
If you reused this password elsewhere, change it on every affected account. Attackers test stolen credentials against hundreds of popular sites within hours.
Enable two-factor authentication
Turn on 2FA on Facebook and every important account. Even if your password is known, attackers cannot access the account without the second factor.
Check your other accounts for this breach
Run a full email scan to see every breach your address appears in — not just this one.
Check all my breaches — freeFrequently asked about the Facebook breach
What data was actually exposed in the Facebook 533 million record dataset?
Why are exposed phone numbers so dangerous?
Did Facebook notify the 533 million affected users?
I changed my Facebook password after 2021 — does that protect me?
How this breach page is reviewed
Breach pages are built from structured breach records and reviewed for practical risk guidance by EmailLeaked. Risk labels reflect exposed data types and are intended to help readers prioritise action.
Sources
Last reviewed: 2026-05-01
Other major breaches
Was your email in this breach?
Check if your email appeared in the Facebook breach and 1010+ other known breaches — free, instant, no signup.
Check my email — freeWas my email hacked?
Check if your email is compromised in seconds. Free, private, no signup. Scan millions of breach records across 1011+ known breaches.
Check my email now — it's freeNo signup required · Results in under 5 seconds · Your data is never stored