(CMR) The personal data of approximately 533 million Facebook users in more than 106 countries was found by a security researcher to be freely available online last weekend.
According to MIT Technology Review, the data breach was uncovered by security researcher Alon Gal. The exposed information included phone numbers, email addresses, hometowns, full names, and birth dates.
The security breach was first identified in 2019. Facebook said it had fixed the breach, which occurred in August 2019; however, MIT Technology Review said it appears that Facebook did not properly disclose the breach at the time.
Facebook has since acknowledged that the data may have been scraped from people’s profiles in 2019 by “malicious actors” using its contact importer tool, which uses people’s contact lists to help them find friends on Facebook.
Scraping is a common tactic that often relies on automated software to lift public information from the internet that can be distributed in online forums like this.
Mike Clark, Facebook's Product Management Director, said, “When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer.”
“In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users,” Clark added.
He said the data obtained included a limited set of information about those users included in their public profiles. The information did not include financial information, health information, or passwords.
While Facebook said it had fixed the issue, the company could still face problems as it could be held liable for not disclosing the breach.
MIT Technology Review explained that the General Data Protection Regulation came into force in European Union countries in May 2018. If this breach happened after that, Facebook could be liable for fines and enforcement action because it failed to disclose the breach to the relevant regulators within 72 hours, as the GDPR stipulates. Ireland’s Data Protection Commission is investigating the breach.
In the US, Facebook signed a deal two years ago that gave it immunity from Federal Trade Commission fines for breaches before June 2019, so if the data was stolen after that, it could face action there too, MIT Technology Review stated.
Although passwords were not leaked, scammers could still use the information for spam emails or robocalls. If you want to see if you’re at risk, MIT Technology Review suggests you visit haveibeenpwned.com and check if your email address or phone number has been breached.