PETALING JAYA: An investigation by an NGO found that the data of more than 11.6 million Malaysian WhatsApp users being sold online was recycled from a much older Facebook data leak.

Yayasan Digital Malaysia (YDM), a non-profit that works to improve digital literacy, said that its research showed that the database came from a 2019 Facebook leak that has been trimmed down.

The database went up for sale on Nov 16, with the seller alleging that it contains the records of over 487 million WhatsApp users across 84 different countries.

“By cross-referencing the data from the hacker with the previous 2019 Facebook leaks, we found that the data is identical.

"This was further evident by the matching total number of entries in both databases – 11,675,894 in the Facebook database and 11,675,894 in the WhatsApp database," said Mohd Fazli Azran, YDM's head of digital innovation.

While the original data from the 2019 leak included details such as Facebook display names, phone numbers, gender, country and occupation, the version from this uploader only contains phone numbers.

The seller is charging a different price for each country – Mohd Fazli Azran, who had contacted the uploader, said the price for the Malaysian dataset is US$2,500 (RM11,200).

Meta, the company that owns WhatsApp, said in a statement to the South China Morning Post that it hasn't found any signs of a data leak in its WhatsApp platform.

It said that the findings made by Cybernews, which were the basis of most news reports, were “speculative” and based on “unsubstantiated screenshots”.

Meta was fined €265mil (RM1.22bil) for failing to prevent the 2019 Facebook data leak incident, from which the data for this latest incident originates.

This is not the first time this data has resurfaced – it was made available on hacker forums last year for free in its original form.

Meta responded to the alleged leak by telling Reuters that "the data is old and that the problem had been found and fixed in 2019".

The data was originally scraped via the Facebook search, Facebook Messenger Contact Importer, and Instagram Contact importer tools.

"We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.

"Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.

“We are reviewing this decision carefully," the company said.