Leak of 500m Facebook users’ data re-opens old wounds

6 Apr 2021

Image: © Denys Prykhodov/Stock.adobe.com

The social network said the data leaked over the weekend stems from an old issue, but Ireland’s data protection watchdog has gotten involved.

Facebook was in damage control over the Easter weekend after data from more than 500m users was posted online.

On Saturday (3 April), a massive database of information on 533m users from 106 countries, which includes mobile phone numbers, emerged on a hacking forum. This is according to Business Insider, which first reported on the leaked information. Around 1.5m Irish accounts are reported to be affected.

Facebook contests that the data is not from a new breach but rather the re-emergence of old information from an issue that was fixed in 2019.

“This is old data that was previously reported on in 2019,” the company said. “We found and fixed this issue in August 2019.”

This didn’t stop Alon Gal, a cybersecurity researcher and chief technology officer at Hudson Rock, from discovering that the data was still being shared and circulated online on hacking forums for free.

The incident has raised alarm bells among cybersecurity professionals given the inclusion of phone numbers. These details coupled with names, locations and email addresses could be fodder for fraudsters and identity thieves.

Gal told Insider that the size of the database “would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts”.

After a data breach, users are often encouraged to change their passwords as a precaution but changing a phone number on the fly isn’t so easy. And while the issue may be an old one, it proves that the ghosts of a data breach can haunt a company and its users for a long time.

Now, the tech giant is liaising with Ireland’s Data Protection Commission, the watchdog it must report to in Europe on data protection matters. BBC News reported that the authority is trying “to establish whether the dataset referred to is indeed the same as that reported in 2019”.

If it is determined that data breach is old and took place prior to GDPR, as Facebook states, and no new breach has been discovered, then it is unlikely that the tech giant will face sanctions over the matter.

Jonathan Keane is a freelance business and technology journalist based in Dublin