The personal data of about 533 million Facebook users was recently discovered on a hacking forum, leaving many users asking questions, according to NPR. The corresponding data breach was believed to have occurred before August 2019, using a vulnerability that the tech giant says it patched. The company does not plan to notify individuals who have been affected and in some cases may not even be sure which users were involved.
Old data, new revelations
Although the stolen data seems to have only recently been made available, the exploit itself took place all the way back in 2019. According to a Facebook blog post on the breach, the responsible hacker was able to access the information using a vulnerability in a platform feature that allowed users to find each other's phone numbers. The company said that the hacker had used an automated tool to gather the information quickly, a technique known as "skimming."
According to Facebook, the data breach revealed information like full names, phone numbers, locations and email addresses. No financial information was affected by the breach. In all, users in 106 different countries were impacted.
While the stolen data may not have been especially sensitive, cybersecurity experts were quick to note the potential damage that the breach could still have on consumers.
"Scammers can do an enormous amount with little information from us… The danger when you have phone numbers, in particular, is [that it's] a universal identifier," said CyberScout founder Adam Levin, speaking with NPR.
The fallout of the breach largely remains to be seen. According to the BBC, the Irish data commissioner is set to investigate the situation. A class-action lawsuit for impacted EU-based consumers is also supposedly in the works.
A limited public response
So far, Facebook has made a concerted effort to downplay the potential impact of the attack and say as little about it as possible. In its blog post, Facebook emphasized that the scraping technique used wouldn't have worked in 2021 and that more important personal data, like financial information, was never at risk. Notably, the statement was noncommittal about whether preventing future, similar incidents was possible.
"We're focused on protecting people's data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible. While we can't always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work," the blog post read.
Facebook also announced that it would not be notifying individual users who had been impacted by the breach. A spokesperson noted that all of the data released by the hacker was already publicly available in some form or another. The spokesperson also said that since the exploit took place in 2019, there was little that victims could do to address the issue.
The appearance of muted response has been confirmed as a planned strategy. In a leaked internal email, which was accidentally mailed to a Belgian news website, Facebook leaders discussed an effort to reframe the breach as a "broad industry issue," according to the BBC. The email also called for limited statements on the matter. A Facebook spokesperson has confirmed the authenticity of the leaked emails.
Issues with consumer data aren't new to Facebook. In July 2019, shortly before the alleged skimming occurred, the Federal Trade Commission fined the tech company $5 billion for using consumer phone numbers for marketing purposes without permission, amongst other violations. That fine was itself a response to Facebook breaking a settlement made with the agency in 2011, according to NPR. Other issues included running facial recognition tracking on users with permission.
Modern cybersecurity you can depend on
As one of the largest tech companies on the planet, entrusted with billions of users' personal data, Facebook has a lot riding on cybersecurity that works. Even if you're not working for an organization of that scale, keeping your data safe is also essential. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks. This can include multi-factor authentication, and some vendors are even moving to integrate biometric recognition technologies such as fingerprint readers.