A US Federal Trade Commission (FTC) agreement obliges Facebook to report breaches affecting 500 or more users within 30 days of confirming an incident.
Late last week, Facebook Director of Communications Liz Shepherd claimed data pertaining to more than half a billion users was stolen two years ago, and that the company “found and fixed” the issue back then.
Facebook has not notified its 533 million users whose personal information was obtained during a 2019 leak and does not have plans to do so, a company spokesperson said.
They added that the social networking giant was not sure it had full visibility on which users would need to be notified and that the company also took into account the data was publicly available when deciding not to notify the users, who were mainly from the US and Europe.
Ireland’s Data Protection Commission, the EU’s lead regulator for Facebook, for its part, said they had contacted the company in connection with the data leak. The commission added that it had received “no proactive communication from Facebook” but was currently in contact.
The leak includes personal information on 533 million Facebook users, such as phone numbers, Facebook IDs, full names, locations, birth dates, bios n in some cases email addresses
“This is old data that was previously reported on in 2019” Facebook spokesperson wrote in an email pic.twitter.com/1m0CgDB441
— Hemir Desai (@hemirdesai) April 4, 2021
The statement comes after Business Insider reported last week that personal details, including the phone numbers of 533 million Facebook users, had been leaked and posted on a “low-level” online hacking forum.
The news outlet cited Alon Gal, the chief technical officer of cybercrime intelligence firm Hudson Rock that detected the leak, as saying the information could be used by online fraudsters for identity theft or phishing scams.
“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts”, Gal argued.
He called the leak of personal information “a huge breach of trust” for such “a reputable company” as Facebook, insisting that it “should be handled accordingly”.
The leak reportedly affected users from 106 countries, including 32 million in the US, 11 million in the UK, and 6 million in India. The information included phone numbers, Facebook IDs, full names, locations, dates of birth, profile biographies, and in some instances the users’ email addresses.
The social network, in turn, referred to “malicious actors” who managed to obtain the data in September 2019 by “scraping” profiles with the help of a vulnerability in the platform’s tool for synchronising contacts.
Facebook’s director of communications, Liz Shepherd, confirmed the data was stolen two years ago, claiming the company “found and fixed” this issue at the time.
In March 2019, media outlets reported that the personal information of about 50 million Facebook users had been harvested by Cambridge Analytica without the social media site’s consent during Donald Trump’s presidential campaign in 2016.