- Facebook noted that the data breach of 533 million users dates back to 2019 and that it was fixed in 2019.
- Aaron Gal, a security researcher reported that the vulnerability was spotted in early 2020.
- Analysts and researchers note that data never gets old for data brokers and can be used for multiple scams.
Facebook's data breach of 533 million users dates back to 2019, according to the social media giant. Facebook, yesterday, in a blog post noted that the malicious actors did not even hack its system but scraped data through its platform which it refers to as automated software lifting public information from the internet that can end up being distributed in online forums like this. "It is important to understand malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019," the social media giant noted.
Facebook said that vulnerability was discovered in 2019 that allowed phone numbers of millions of users to be scraped from Facebook servers. It said that the vulnerability was patched in August 2019. "This is old data that was previously reported in 2019. We found and fixed this issue in August 2019," a Facebook spokesperson said. The leaked data set was reportedly created by attackers who abused a flaw in a Facebook address book contacts import feature.
Facebook, however, did not publicly acknowledge or inform its users about this flaw, until it was reported last week. Former Federal Trade Commission chief technologist Ashkan Soltani told Wired, "At what point did Facebook say, 'We had a bug in our system, and we added a fix, and therefore users might be affected'? I don't remember ever seeing Facebook say that. And they're kind of stuck now because they apparently didn't do any disclosure or notification."
The Irish Data Protection Commission in a statement has noted that it received no proactive communication from Facebook regarding the breach. The commission noted that "newly published data set seems to comprise the original 2018 (pre-GDPR) data set and combined with additional records, which may be from a later period."
The Guardian reported that even if the Facebook breach dates back to 2019, it will cause trouble to the company as under certain privacy regulations including Europe's GDPR, the social media giants should have alerted their users about the breach. Rob Shavell, chief executive officer of DeleteMe, a personal data protection tool, told the publication that even if the data is old, it will always be useful to data brokers. "It helps them correlate related information that is new and dump them into these profiles, which they sell online for as little as 99 cents," he said.
It stated that the data leaked from Facebook can be used in combination with the current user data online "to hack accounts, including bank and other accounts that require two-factor authentication texting a confirmation code to a phone number to verify a person's identity."
Ivan Righi, cyberthreat intelligence analyst told the publication that there was a possibility that the breach was resold multiple times until the price was low enough for a user to publicly expose it to generate a small profit to gain a reputation. He noted that old data is also valuable for cybercriminals.
The breach also included the details of Facebook CEO Mark Zuckerberg whose contact number, name, location, marriage details, birth date, and Facebook user ID were leaked. Zuckerberg's leaked contact also revealed that he used the Signal app.
Aaron Gal, a security researcher first reported that the vulnerability was spotted in early 2020 and it enabled seeing the phone number linked to every Facebook account, creating a database containing the information 533 million users across all countries. The exposed data included details like phone numbers, Facebook IDs, full names, locations, birth dates, bios, and even email addresses of some users. Over 3.2 crore accounts in the US, 1.1 crores in the UK, and 60 lakh in India were exposed.