1.2 Billion Facebook Records Allegedly Scraped via API Exploitation
Threat actors claim to have scraped 1.2 billion Facebook user records by abusing one of the platform’s application programming interfaces (APIs). The dataset — which includes user IDs, names, emails, phone numbers, locations, birthdays, and genders — has been published on a data leak forum.
The Cybernews team analyzed a sample of 100,000 records, confirming the data appeared authentic. If the full claim is valid, this would be among the largest Facebook-related leaks to date.
Technical vector: API scraping
The attackers likely leveraged insufficiently protected API endpoints to automate large-scale harvesting of public and semi-public user attributes. Such attacks exploit weak rate-limiting, token misconfigurations, or endpoint exposures to enumerate and exfiltrate structured data at scale.
Facebook’s response
Meta did not explicitly deny the incident, instead referencing a 2019 post about its anti-scraping measures. Researchers criticize this as reactive security, noting repeated incidents reveal inadequate controls around APIs and user data visibility.
Security implications
A dataset of this scale enables:
-
Targeted phishing campaigns against known Facebook users.
-
Credential-stuffing or SIM-swap attacks by correlating phone numbers and emails.
-
Mass bot-driven social engineering leveraging demographic data.
-
Identity theft risks through aggregation with other leaks.
Given Facebook’s history (e.g., the 2021 exposure of 500M+ records, which led to a €265M fine by the Irish DPC), the recurring nature of API-driven scraping incidents raises serious compliance and trust concerns.
Wider context
API abuse is an escalating vector across platforms. In 2025 alone, attackers have exploited APIs at Shopify, GoDaddy, Wix, and OpenAI. Without robust API security (rate limiting, behavioral anomaly detection, stronger authentication), data-rich services remain vulnerable to mass harvesting campaigns.