Facebook decided not to notify over 530 million of its users whose personal data was lifted in a breach sometime before August 2019 and was recently made available in a public database. Facebook also has no plans to do so, a spokesperson said.
Phone numbers, full names, locations, some email addresses, and other details from user profiles were posted to an amateur hacking forum on Saturday, Business Insider reported last week.
The leaked data includes personal information from 533 million Facebook users in 106 countries.
In response to the reporting, Facebook said in a blog post on Tuesday that “malicious actors” had scraped the data by exploiting a vulnerability in a now-defunct feature on the platform that allowed users to find each other by phone number.
The social media company said it found and fixed the issue in August 2019 and its confident the same route can no longer be used to scrape that data.
“We don’t currently have plans to notify users individually,” a Facebook spokesman told NPR.
According to the spokesman, the company does not have complete confidence in knowing which users would need to be notified. He also said that in deciding whether to notify users, Facebook weighed the fact that the information was publicly available and that it was not an issue that users could fix themselves.
The information did not include financial information, health information or passwords, Facebook said, but the data leak still leaves users vulnerable, security experts say.
“Scammers can do an enormous amount with little information from us,” says CyberScout founder Adam Levin, a cybersecurity expert and consumer protection advocate. In the case of this breach, he said, “It’s serious when phone numbers are out there. The danger when you have phone numbers in particular is a universal identifier.”
Phone numbers are increasingly used to connect people to their digital presence, including the use of two-factor authentication via text message and phone calls to verify one’s identity.
The misuse of its user data is a familiar battle for Facebook, and its handling of user privacy has endured scrutiny.
In July 2019, months before patching up the aforementioned issue, Facebook reached a $5 billion settlement with the U.S. Federal Trade Commission for violating an agreement with the agency to protect user privacy.
To find out whether your personal information was leaked in the breach, you can check the data tracking tool, HaveIBeenPwnd. Its creator, Troy Hunt, updated the site with the latest data from the Facebook leak. Hunt said that 65% of the latest batch of data had already been added to the tracker from previous leaks.
Editor’s note: Facebook is among NPR’s financial supporters.