Data from more than 533 million Facebook users, including profile names, Facebook ID numbers, phone numbers, and email addresses were published in a hacking forum on April 3 according to reports. Facebook says the breached data is not new and was originally scraped by hackers in 2019.
Facebook reacted to the leak by trying to downplay the incident, claiming that they fixed the vulnerability and encouraging users to change their privacy settings if they are concerned about their information being opened to the public.
Facebook released an official blog statement on April 6, reacting to a Business Insider story that explained the details of how the data was stolen and how the vulnerabilities were addressed.
The data came from users in 106 different countries, including 32 million from the U.S., 11 million in the UK, and 6 million in India.
The hacker initially responsible sold the data for tens of thousands of dollars, but as the database circulated, the price kept on dropping until it was posted for free in open forums. The data can potentially be used for spam emails or robocalls.
You can check if your own personal data was involved in the breach by entering your information at the tracking site HaveIBeenPwned.com, which was created by Australian web-security consultant Troy Hunt
In their blog post, Facebook claimed that they have been aware of the issue and that the data which was scrapped was obtained prior to September 2019, when they fixed the vulnerability. In trying to downplay the incident, Facebook framed the theft in the context of there being an important distinction between hacking and scraping. They tried to reassure users stating, “While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.”
“It’s a fallacy to think that a breach isn’t serious just because it doesn’t have passwords in it or other maximally sensitive data,” said Zack Allen, Director of Threat Intelligence at the security firm ZeroFox. “It’s also a fallacy to say that a situation isn’t that bad just because it’s old data.”
Back in July 2019, Facebook was held responsible for a data leak by the Federal Trade Commission, resulting in a $5 billion settlement. Tens of millions of users had their data scrapped, ending up with a data firm called Cambridge Analytica who shut down in 2018 after concerns were raised about its controversial political tactics.
“Individuals signing up to a reputable company like Facebook are trusting them with their data, and Facebook [is] supposed to treat the data with utmost respect,” said Alon Gal, the Chief Technology Officer of the cybercrime intelligence firm Hudson Rock.
“Users having their personal information leaked is a huge breach of trust and should be handled accordingly.”