A security problem that Facebook thought it dealt with more than a year ago resurfaced in the worst possible way a few weeks ago when it was discovered that a database containing the personal details of more than 533 million users circulated online. Facebook said initially that the hack isn’t new and that the vulnerability issue had been fixed in 2019. It then followed up to explain that it would not inform impacted users and that the hack wasn’t a breach of its servers. Instead, attackers abused a tool to gather data for hundreds of millions of people. Data included full names, locations, phone numbers, and birthdays. A security researcher found Facebook CEO Mark Zuckerberg in the list of impacted users.
Neither Facebook nor Facebook users have control over the leaked database, so it can’t be removed from the internet or forgotten. But Facebook doesn’t seem interested in providing any sort of assistance beyond telling everyone who will listen that the problem had been fixed. What’s even worse is that Facebook expects similar data scraping to continue despite its efforts to prevent it. A leaked internal email shows that Facebook plans to normalize this sort of security problem in public messaging rather than coming up with ways to ensure similar incidents can’t happen.
A report from Belgian site DataNews shares with the world a purported Facebook email that was supposed to have been sent internally. The email includes Facebook’s strategy for dealing with the massive data breach that resurfaced. For some reason, the email ended up in DataNews’s inbox.
The email was sent to Facebook’s PR staff for EMEA (Europe, Middle East, and Africa) on April 8th, a few days after the databased leaked online. The email seems to be genuine, as it includes links to an actual help page that Facebook put up to address the massive hack — like this one: https://www.facebook.com/help/463983701520800.
The instructions in the email explain that Facebook didn’t plan to address the data breach any more than it had already done, as news reports about it die down. Facebook provides metrics about the coverage the story got and the social activity around it:
OVERALL COVERAGE: Publications have offered more critical takes of Facebook’s response framing it as evasive, deflection of blame and absent of an apology for the users impacted. These pieces are often driven by quotes from data experts or regulators, keen on criticizing the company’s response as insufficient of framing the company’s assertion that the information was already public : misleading. With regulators fully zeroed issue, expect the steady drumbeat of criticism to continue in the press. However, it is important to both media coverage and social conversation continues to gradually decline from its peak over the weekend and on Monday. Coverage from top-tier global publications has declined by 30% in the past 48 hours, compared to the proceeding two days. Social conversation has followed a similar trend, but at a more accelerated rate, declining by 50% in the latest 48 hour span when compared against conversation Saturday through Monday afternoon. For those interested, the latest global coverage report is below.
But long-term, the company wants to make these incidents sound normal, a problem that impacts the industry, and something that Facebook can’t perfectly defend against:
LONG-TERM STRATEGY: Assuming press volume continues to decline, we’re not planning additional statements on issue. Longer term, though, we expect more scraping incidents and think it’: important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly. To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing this area. While this may reflect a significant volume of scraping activity, we hope this will help to normalize activity is ongoing transparent.
Personal information like the kind that leaked in the massive breach from 2019 can be weaponized by all sorts of attackers who might try to impersonate other people, stalk, and harass. Saying that it’s normal for these accidents to happen should make Facebook users reconsider their memberships. Facebook and its other services are not free, one pays for them with the personal data that Facebook collects, data that Facebook should guard better.
DataNews full report, complete with the leaked email, is available at this link.