Over 500 million Facebook users have been found on a website used by hackers. Also in the data is the information of over one million Irish users. This comes years after the social media giant was rocked by the Cambridge Analytica scandal.
Originally reported by Business Insider the leak has information from 106 countries including users’ phone numbers, Facebook IDs, full names, locations, birthdates, and email addresses.
Previous datasets were published by a Ukrainian security researcher in 2019 and 2018 following a large-scale scraping of the Facebook website. The social media giant stated that this scraping had happened between June 2017 and April 2018 before Facebook added a fix to address the issue. Because the scraping took place prior to the introduction of GDPR, Facebook chose not to notify this as a personal data breach under GDPR.
Irish Data Protection Commission Response
I reached out to the Data Protection Commission for comment. Deputy Commissioner Graham Doyle said “this appears to be in relation to an issue previously reported in 2019 involving the scraping of personal data from Facebook Inc that occurred pre-GDPR. However, following this weekend’s media reporting we are examining the matter to establish whether the data set referred to is indeed the same as that reported in 2019”.
The DPC also stated that after “attempts over the weekend to establish the full facts […] it received no proactive communication from Facebook”. In response to queries from the DPC, Facebook responded, saying “based on our investigation to date, we believe that the information in the data-set released this weekend was publicly available and scraped prior to changes made to the platform in 2018 and 2019. As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information”.
Is Your Data In The Facebook Leak?
The first question you’ll be asking yourself right now is whether or not this affects you. The safest thing to assume is that if you are a Facebook user, or even were a user years ago, you should assume you’re affected. Change your passwords and be very cautious with any communication claiming to be from Facebook.
Some of the leaked records available to hackers include phone numbers and email address. This leaves you somewhat open to receiving spam communications and also phishing or smishing. This means someone could claim to be your bank for example and try to get your PIN number. Now is the time to be extra vigilant with everything.
Checking to see if you’ve been involved in the data leak is surprisingly easy. The website haveibeenpwned.com gathers the data from leaks and creates a searchable database. Simply pop your details in and it’s cross-checked against hundreds of known leaks from companies like Under Armour, Adobe and, of course, Facebook.
More on this as it develops. Hit the bell in the bottom left corner to get updates on this story.
Update 05.04.2021: Comment from DPC added.
Update 06.04.2021: Additional comments from DPC including correspondence between DPC and Facebook. Also added information on how to check if this impacts you.