An old Facebook “hack” that impacted more than 533 million people resurfaced during the weekend, as reports revealed that the entire database was posted on a forum. Facebook quickly pointed out that the data breach is old, and the security vulnerability had been fixed, so similar accidents can’t happen. But it did little to address the fact that people with access to the database can obtain plenty of personal information about a user, including phone numbers. A few days later, a security researcher made it possible for potential victims to search the database and find out if their data was compromised. A different searcher showed how easy it would be for a malicious individual to harness that data by revealing that Mark Zuckerberg’s Facebook account was included in the hack, which included his phone number, and discovering that the Facebook CEO is a Signal user.
Despite that, Facebook doesn’t plan to notify impacted users. The company also insists in an explanation of what happened almost two years ago that the hackers did not breach Facebook’s defenses. Instead, they used a technology Facebook developed against itself to collect all that data in a “scraping” attack.
Facebook never notified the impacted users, and it doesn’t plan to change that now that the database reached more people. A spokesman confirmed that to Reuters:
The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified. He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users.
Facebook published a blog post detailing the “facts on news reports about Facebook data.” The company said that the malicious actors did not hack its systems. Instead, they used a scraping technique that involved Facebook’s contact important tool. This feature allows Facebook users to import their contact lists to find friends to connect with. Facebook says that the attackers took advantage of vulnerabilities to access user information:
When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords.
Facebook doesn’t say what sort of information the attackers stole. Details include full names, locations, phone numbers, and birthdays. That’s still plenty of information that some people might abuse. Impacted users could take some action to prevent hackers from attacking them. This could include changing phone numbers and even leaving Facebook.
The company doesn’t provide any course of action, and the fact is that most people can do little to prevent their data from circulating. Facebook says that it has limited options itself. “While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work,” the blog post reads. Facebook also tells users that it’s a good idea to do regular privacy checkups to adjust their settings about who can reach and contact them on Facebook.
Over the last year, I have asked Facebook more than a dozen times if it will take legal action against Clearview AI for scraping what is likely millions of photos from Instagram and Facebook. No lawsuits have been filed and FB has said nothing on record.https://t.co/htkKCD5bT0
— Ryan Mac🙃 (@RMac18) April 7, 2021
While Facebook says the scraping technique violated its policies, The Verge points out that Facebook has not taken any action against a different company that has also scraped data from Facebook apps. Clearview AI scraped photos from Instagram and Facebook, yet Facebook has not sued Clearview.
Users who want to see whether the 533 million “hack” includes their Facebook data can use the Have I Been Pwned service.