Threat Actor Selling 1.2 Billion Facebook Records, But Details Don’t Add Up

A threat actor using the alias “ByteBreaker” is claiming to have abused the Facebook API and scraped 1.2 billion account details, which are now being sold on a data breach forum.

A look at the sample data of 100,000 users shared by ByteBreaker on the forum shows it includes the following information:

• Gender
• Full names
• Usernames
• Date of birth
• Phone numbers
• Email addresses
• Unique identifier (UID)
• Location (including city, state, and country)

“Today I’ve come with the newest Facebook database which was scraped by abusing one of their APIs. Feel free to compare results from the previous leaks, it’s a new one and never leaked before,” ByteBreaker said in their post.

Hackread.com compared the sample with data from previous Facebook breaches. Some of it overlaps with the April 2021 breach, in which the personal data of over 500 million users from 106 countries was leaked, but not all. However, with the claimed database size being 1.2 billion records, comparing a sample of only 100,000 records is insufficient to conclude at this time.

ByteBreaker joined the forum where they are selling the data in the first week of May 2025. On May 3, they initially posted another Facebook database for sale, claiming it contained 780 million records and also featured fresh 2025 data.

In both listings, ByteBreaker claimed the data was scraped via the same API abuse technique. However, in both cases, the sample data are exactly the same and notes: “The Total Rows are 200 million”, structured as:

uid, name, email, username, mobile_phone, location, birthday, gender

This raises a fundamental question: Can 1.2 billion records be stored in just 200 million rows? No, each row already contains complete user information. If ByteBreaker has 1.2 billion user records, it would need 1.2 billion rows. The numbers don’t match.

Another inconsistency lies in ByteBreaker’s Telegram contact. While the original listing mentioned the handle @XByteBreak, the sample data references a different account: @Minimize9, which does not exist on Telegram.

Hackread.com attempted to contact ByteBreaker, and while our messages were seen on Telegram, the threat actor did not respond.

Although @Minimize9 does not exist on Telegram, a Google search links the username to an Indonesian citizen named FM (Full name redacted). However, Hackread.com makes no implication that FM is behind the @Minimize9 handle mentioned in the sample data, or that he is the person operating the ByteBreaker account.

API abuse and web scraping are real and serious cybersecurity threats. Platforms like Chess.com, LinkedIn, Trello, Duolingo, Clubhouse, Bumble, and Discord have all been targeted using these tactics, among many others.

Regardless of the threat actor’s claims, organizations, especially social media giants, should continuously invest in cybersecurity measures, monitor for unusual activity, and close any exploitable endpoints to protect user data.

As this case is developing, Hackread.com has reached out to Meta, the parent company of Facebook, and an update will be provided once a response is received.