What’s going on with this Facebook leak and am I affected?

7 Apr 2021

Image: © ink drop/Stock.adobe.com

News of a Facebook data leak has caused plenty of confusion in recent days. Here’s what the company, the DPC and privacy experts have to say.

Last weekend, a massive database of information on 533m Facebook users emerged on a hacking forum. This information includes phone numbers, Facebook IDs, names, locations, birthdates and, in some cases, email addresses.

According to Business Insider, which first reported on the story, users from 106 countries are affected. Up to 1.5m Irish accounts are also reported to be affected.

What does Facebook say about all this?

Facebook’s initial response was simply that this is old data that was previously reported on two years ago, and emerged from a vulnerability that was fixed in 2019. After facing a barrage of questions, however, the social media giant released more details days later.

Mike Clark, product management director at Facebook, published a blog post yesterday (6 April) detailing that the company believes the data was “scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019”.

This feature was designed to help people find friends through the contact list on their phone. But Clark said Facebook updated it in 2019 to prevent hackers from scraping users’ phone numbers.

“As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” he added.

What does the DPC say?

Ireland’s Data Protection Commission (DPC) is the watchdog in Europe that Facebook must report to on data protection matters.

The DPC released a statement yesterday before Facebook did, saying that it is attempting to “establish the full facts”. It added that it received no proactive communication from Facebook on this case.

The data protection watchdog outlined that previous datasets were published in 2019 and 2018 relating to a “large-scale scraping” of Facebook, which at the time the company said occurred between June 2017 and April 2018 when it patched a vulnerability in its phone look-up feature.

Because this incident took place before the introduction of GDPR, Facebook “chose not to notify this as a personal data breach”, according to the DPC.

“The newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period,” it added.

The DPC indicated that it is now liaising with Facebook and will give further information as it receives it. 

Am I affected?

The database of Facebook info that is currently circulating online is 20GB in size and tricky for the average internet user to trudge through.

Instead, you can use Have I Been Pwned to check if your number or email has been comprised.

This is an online tool that has been used for years to check if email addresses have been affected by various data breaches. It generally doesn’t allow users to search phone numbers, but creator Troy Hunt explained that the Facebook leak has changed this because “there’s over 500m phone numbers but only a few million email addresses” involved.

All you have to do is type your phone number or email address into the Have I Been Pwned search bar, and the site will check if there’s a match with breached data. All phone numbers are stored with their country calling code, so if your Irish mobile number is 0861234567, type in 353861234567. 

What privacy implications does this have?

As with any breach, risks can arise for users who may be spammed for marketing or fraud purposes using their personal details.

This case may be slightly more concerning, however, because it involves a large volume of phone numbers, which users are unlikely to change regularly or on the fly like they would with passwords.

“Despite the fact that the data from this latest Facebook leak is from 2019, for many, much of the user information will still be the same, especially phone numbers,” said Aaron Drapkin, digital privacy expert at ProPrivacy.

“It is now likely that this info will be used as an exploitable database for various types of phishing and smishing scams and even possible identity fraud.”

And while phone numbers used to be public information, with many people listing them in phone books, they have now taken on a new significance as tech-savvy people use mobile phone numbers for two-factor authentication or password resets.

The information is not only a gold mine for scammers but could also pose a safety risk to people in sensitive or high-profile positions.

The Irish Times reports that the personal data of hundreds of Irish people working in sensitive State positions has been exposed in the leak, including that of Gardaí, prison officers and Revenue staff.

Wired also reports that it includes data from high-profile Facebook users including company boss Mark Zuckerberg and US secretary of transportation Pete Buttigieg, as well as the European Union commissioner for consumer protection Didier Reynders.

What can I do to keep safe online?

In the Facebook blogpost, Clark said the company will “aggressively go after malicious actors” who misuse the company’s tools, and recommended that Facebook users do regular privacy check-ups on their account to evaluate the settings.

The DPC added that users now need to be vigilant in relation to any services they use that require authentication using their phone number or email address, in case third parties are attempting to gain access.

Drapkin said: “If you do find that any of your data is caught up in the leak, ensure you change your passwords immediately and turn on any other security measures Facebook recommends to secure your account.

“If your number was exposed and you’re reluctant to change it, remember that going forward you must treat any texts or emails you receive – especially from people purporting to be part of legitimate companies – with an even higher level of caution than usual.”

Sarah Harford was sub-editor of Silicon Republic