Facebook breach: How to check if your data was compromised
After the recent Facebook data breach which affected more than 533 million users including CEO Mark Zuckerberg himself, the first question that comes to mind is, "How do I know my Facebook account was affected?" Well, it's easy to find out using two websites known for tracking data breaches, namely Have I Been Pwned (HIBP) and The News Each Day. Here's how they work.
On HIBP, once you enter your phone number or email address, the site enlists all the instances (including the recent Facebook breach) in which your data was leaked. HIBP names the website that suffered the breach, when the breach occurred, and what information was compromised. The website also informs you if your information has been "pasted" on a content-sharing website such as Pastebin.
HIBP's particularly informative FAQ section also delves into types of breaches, how they are verified, and why your data was breached on a service you never signed up for. The other website, The News Each Day is a primarily news platform, but given the enormity of the Facebook breach, it has developed a breach detector.
The News Each Day's tool queries your phone number against a database of those from the Facebook breach. However, the tool works only for the recent Facebook breach and only for American and Australian phone numbers. Hacker News members highlighted that the breach detector's creator David Johnstone could be saving the queried phone numbers, although he claims he doesn't.
In the interest of privacy, Johnstone clarified that the tool for American numbers generates 99 proxy phone numbers with the same first five digits as yours, so the database won't know which queried number belongs to whom. While that isn't exactly a foolproof solution, HIBP's policies are more secure. The website also claims it doesn't collect and store email addresses and phone numbers.
Meanwhile, if your data was breached, immediately look up what has been compromised (phone number, location, etc.). Then, change your password for the breached website and wherever else you re-used that password. If financial information was breached, contact your bank to take necessary action. Also, enable two-factor authentication for additional security. Many modern services that handle sensitive information have two-factor authentication enabled by default.
That said, most breach detectors have limited efficacy, mostly because they can access only a small subset of data on the internet. So, it's a good practice to never re-use passwords. We suggest you use password managers built into most web browsers including Google Chrome and Mozilla Firefox. Chrome's Password Manager even auto-generates passwords and alerts if your accounts were compromised in a breach.