Overview
- Security researchers, led by Malwarebytes, report a dataset with usernames, emails, phone numbers and partial addresses circulating on BreachForums since January 7.
- The files appear in JSON and TXT with API‑style structures and do not include passwords, yet they significantly lower the barrier for social‑engineering and account‑recovery abuse.
- Meta says its systems were not compromised and that a programming bug—now corrected—allowed third parties to trigger legitimate password‑reset emails for some users.
- Users worldwide have reported a spike in unrequested password‑reset notifications since January 9, creating confusion that attackers can exploit for takeovers.
- Researchers say the data may trace to earlier API or integration weaknesses, a link that remains unconfirmed, as variants of the dump are offered under aliases including “Solonik” and “Subkek.”