Several days ago, we reported a large-scale data leak that affected 533 million Facebook accounts. The vulnerability that caused the data leak is now fixed. However, the social media platform is facing an investigation by EU regulators.
The data breach was possible due to a vulnerability addressed by Facebook in 2019. Despite being two-years old, the leaked Facebook details could be exploited by hackers in various scenarios. Affected users could be impersonated and scammed.
The massive leak was discovered by Alon Gal, CTO of cybercrime intelligence company Hudson Rock. “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” the researcher said.
The leak was discovered in January, when a user in the hacking forum where the data is shared, advertised an automated bot that could provide the phone numbers of millions of Facebook users. The service was paid, and its legitimacy was confirmed by Motherboard.
What does Facebook say about the data leak?
Mike Clark, a Facebook product management director, said that Facebook believes the data in question was scraped from people’s Facebook profiles by malicious actors using their contact importer prior to September 2019. The purpose of the feature was to help people easily find their friends to connect with using Facebook’s services and contact lists.
According to the same statement, Facebook is confident that the vulnerability that caused the data scraping no longer exists. Nonetheless, the company still is endangered by an investigation by regulators in the EU and could face fines.
Ireland’s Data Protection Commission (IDPC) is the first party group intending to look into the data leak due to its possible infringement of the GDPR.
According to Data Protection, a significant number of the affected users are EU users. “Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” the website adds. Furthermore, some of the leaked data may be from a later period, meaning that Facebook is in breach of the GDPR, according to the DPC regulator.
Previous Penalties Faced by Facebook
Last year, Canada’s Competition Bureau claimed that Facebook had mishandled user information by creating the false feeling that users could control who could see and access their personal information via privacy features. The penalty was estimated at CAD 9 million, or USD 6.5 million, and EUR 5.9 million. In other words, Facebook’s privacy claims were not consistent with the way it shared personal data of users with some third-party developers.