Facebook hack scams: Steer clear of shady leak checkers

A raft of websites have been set up to check whether your data was compromised in the recent Facebook hack – but beware.

It’s the biggest cybersecurity story of 2021 so far, and a massive embarrassment for the world’s biggest social network. Facebook is fighting fires around the news that 533 million users’ information, including names, phone numbers and email addresses, has been leaked for free to all and sundry through a hacking forum. But what people need to be most conscious of is the range of follow-up scams that seek to capitalise on the fear such news can trigger.

The obvious question many people, including the 11 million UK and 32 million American users who are believed to be caught up in the massive data breach, will have is a simple one: is their data included in the massive dump of information? The answer is more complicated than you may think. Services that check through leaked or hacked databases have long existed, but cybercriminals are a canny bunch and know that there will be renewed, significant interest in people trying to find out whether they’ve fallen victim.

For that reason, there’s a need to be wary of any sites that profess to check your details against the Facebook database of 533 million users to ascertain if you’ve become a victim or not. They may in fact simply be honeypot scams looking to bring a new set of people’s data into their dragnet.

Finding reputable checkers is important

It’s a worry that many cybersecurity experts are warning about. Alan Woodward, a computer scientist at the University of Surrey, has warned that people could fall victim to fake sites claiming to check your details against the database. “Personally I wouldn’t trust some of the other ‘checkers’ out there,” he tweeted on April 6.

Part of the problem is that the Facebook leak is so high profile that well-meaning actors are trying to help people understand whether they’ve been caught up in it, and are setting up websites that help, but haven’t got the established brand name of something like Troy Hunt’s Have I Been Pwned or CyberNews’s own personal data leak checker, which securely cross checks any information inputted against a database of more than 15 billion breached records.

Take, for instance, the work of two well-meaning researchers at Edinburgh Napier University, who created a similar site to Have I Been Pwned, called Have I Been Zucked? They allow users to input a phone number, email or name, and to ascertain whether they are included in the 533 million-strong database.

Transparency is important – but trust moreso

The two creators of Have I Been Zucked are aware that there are a raft of websites out there offering similar services – some of which may not be what they actually claim to be, and may not do what they profess to. Which is why they have posted a transparency page on their website, saying “It's not in our interests to harvest your data, that's not what this service is for.”

Yet that’s precisely what some scammers will be wanting to do.

In every cybersecurity breach, there’s a moment of alarm when people try to find out whether they’ve been caught up in the dragnet. Panic causes people to not think straight, and to take risks they shouldn’t.

You should always use reputable sources of information, and take every claim of transparency – even if it’s well meaning – with a hefty pinch of salt. If you do decide to input information into websites that aren’t well-established for being breached record checkers like CyberNews or Have I Been Pwned, then you should make sure you’re giving as little data as possible away. Don’t put in your phone number if you have the option of putting in your name. But most of all, try and stay away from fly-by-night services and stick with reputable sources you can trust.