Facebook has been repeatedly accused not just of anticompetitive business practices but also of strategies that violate users’ privacy in order to make a profit. In that context, it’s almost ironic that the latest drama that the social networking giant will be dragged into isn’t something it actively or intentionally caused. Instead, the hundreds of millions of personal information that has just been leaked for free over the Internet may have been due to Facebook’s negligence but, as always, it will be those users who will be paying the ultimate price.
Over 533,000,000 Facebook user have had their information now exposed to the world, or at least to people with enough technical know-how to lift the pieces from the leaked database. Although it thankfully didn’t include passwords, which would have made it all too easy to hack into accounts directly, the dump did include Facebook IDs, phone numbers, full names, birth dates, and some email addresses. Taken together, these pieces of information could be used for phishing schemes or fraud to then get people’s credentials or even credit card information.
Business Insider says that a Facebook representative pointed to an old vulnerability as the source of this massive data leak. In 2019, that vulnerability allowed hackers to simply scrape phone numbers off Facebook’s servers without much effort. Facebook says it patched the vulnerability but it may have actually been too late to put the cat back in the bag.
Earlier this year, there was a report of a hacker selling a bot that would provide such phone numbers of Facebook users for a price. Almost three months later, however, the entire dataset has been made available to a hacking forum for absolutely free.
Facebook has been trying to put a lid on its scraping problems since the high-profile Cambridge Analytica case in 2016 but, as can be seen, it hasn’t exactly been that successful. Unfortunately, unlike with password hacking incidents, there is little Facebook can do now that users’ data is already out in the wild. It can and should, however, at least acknowledge it in order to warn users to keep an eye out for phishing attempts and scams.