Half a Billion Facebook Users Had Their Personal Data Breached, Facebook Has No Plan to Tell Them
According to reports, Facebook has not alerted any of its more than half a billion users who recently had their personal data — including names and phone numbers — leaked in a data breach. The company also has no plans to do so in the future.
Business Insider first reported last week that the personal data of over 530 million Facebook users was available in an unsecured public database. The exposed information included “phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses,” Insider reported.
In a blog post responding to the news, Facebook said that the leaked user data was obtained by “malicious actors” in 2019 who used a “scraping” mechanism on a feature that was designed to help new users connect with friends on the social media platform.
The data breach affected users from 106 countries — including over 32 million records on users in the U.S. and 11 million on users in the U.K. A Facebook spokesperson told Reuters that the company does not currently have a plan to notify the users that their information was compromised.
“The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified,” Reuters reported. “He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users.”
In its blog post, Facebook said that it is “confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.”
The company also claimed that the breached data did not include users’ financial information, health information, or passwords.
Still, the data that was shared in the unsecured public database could be valuable for future hackers or cybercriminals. Alon Gal, CEO of the cybercrime intelligence firm Hudson Rock, is the person who discovered the data breach. He told Business Insider that hackers could easily use the information to impersonate or scam users into giving out their login credentials or financial information.