After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users
Meta didn’t immediately respond to The Verge’s request for comment. The company highlighted what it does to combat data scraping in a blog post from last year, noting that it tasks its External Data Misuse (EDM) team with detecting, blocking, and preventing scraping.
Meta fined $276 million over Facebook data leak involving more than 533 million users
The April 2021 leak exposed the phone numbers, locations, and birthdates of Facebook users on the platform from 2018 to 2019.
By Emma Roth , a news writer who covers the streaming wars, consumer tech, crypto, social media, and much more. Previously, she was a writer and editor at MUO.
Share this story
Ireland’s Data Protection Commission hit Meta with a €265 million fine (about $276 million USD) after an April 2021 data leak exposed the information of more than 533 million users. The DPC started the investigation shortly after news of the leak broke and involved an examination into whether Facebook complied with Europe’s General Data Protection Regulation (GDPR) laws.
The leaked information, spotted by Insider, was posted to an online hacking forum and included the full names, phone numbers, locations, and birthdates of users on the platform from 2018 to 2019. At the time, Meta said the bad actor obtained the information through a vulnerability that the company fixed in 2019 and that this was the same information involved in a prior leak reported by Motherboard in January 2021.
This marks the third fine the DPC imposed on Meta this year. In March, the DPC fined Meta $18.6 million USD for bad record-keeping in relation to a series of 2018 data breaches that exposed the information of up to 30 million Facebook users. The European regulator also slapped Meta with a $402 million fine in September following an investigation into Instagram’s handling of teenagers’ data.
Meta has been fined nearly $700 million by the DPC in 2022 — and that doesn’t include the $267 million fine WhatsApp incurred for violating Europe’s data privacy laws last year. In a statement obtained by Newstalk reporter Jess Kelly, an unidentified Meta spokesperson said:
We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.
Meta didn’t immediately respond to The Verge’s request for comment. The company highlighted what it does to combat data scraping in a blog post from last year, noting that it tasks its External Data Misuse (EDM) team with detecting, blocking, and preventing scraping.
After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users
The leaked data includes personal information from 533 million Facebook users in106 countries.
Olivier Douliery/AFP via Getty Images
Facebook decided not to notify over 530 million of its users whose personal data was lifted in a breach sometime before August 2019 and was recently made available in a public database. Facebook also has no plans to do so, a spokesperson said.
Phone numbers, full names, locations, some email addresses, and other details from user profiles were posted to an amateur hacking forum on Saturday, Business Insider reported last week.
The leaked data includes personal information from 533 million Facebook users in 106 countries.
In response to the reporting, Facebook said in a blog post on Tuesday that “malicious actors” had scraped the data by exploiting a vulnerability in a now-defunct feature on the platform that allowed users to find each other by phone number.
National Security
After A Major Hack, U.S. Looks To Fix A Cyber ‘Blind Spot’
The social media company said it found and fixed the issue in August 2019 and its confident the same route can no longer be used to scrape that data.
“We don’t currently have plans to notify users individually,” a Facebook spokesman told NPR.
According to the spokesman, the company does not have complete confidence in knowing which users would need to be notified. He also said that in deciding whether to notify users, Facebook weighed the fact that the information was publicly available and that it was not an issue that users could fix themselves.
The information did not include financial information, health information or passwords, Facebook said, but the data leak still leaves users vulnerable, security experts say.
“Scammers can do an enormous amount with little information from us,” says CyberScout founder Adam Levin, a cybersecurity expert and consumer protection advocate. In the case of this breach, he said, “It’s serious when phone numbers are out there. The danger when you have phone numbers in particular is a universal identifier.”
Phone numbers are increasingly used to connect people to their digital presence, including the use of two-factor authentication via text message and phone calls to verify one’s identity.
Technology
FTC To Hold Facebook CEO Mark Zuckerberg Liable For Any Future Privacy Violations
The misuse of its user data is a familiar battle for Facebook, and its handling of user privacy has endured scrutiny.
In July 2019, months before patching up the aforementioned issue, Facebook reached a $5 billion settlement with the U.S. Federal Trade Commission for violating an agreement with the agency to protect user privacy.
To find out whether your personal information was leaked in the breach, you can check the data tracking tool, HaveIBeenPwnd. Its creator, Troy Hunt, updated the site with the latest data from the Facebook leak. Hunt said that 65% of the latest batch of data had already been added to the tracker from previous leaks.
Editor’s note: Facebook is among NPR’s financial supporters.
]]>