Information belonging to 553 million Facebook users has been posted online in an incident the company says was due to scraping and not a cyberattack.
Facebook IDs, names, dates of birth, gender, location, and relationship status, among other data points, were leaked, with each dataset broken up by country and made freely available online.
The mass data collection took place in 2019. In a blog post on Tuesday, the social media giant said that scraping was to blame, in which automated software lifts publicly available data from internet resources.
In this case, a functionality issue in Facebook's contact importer, prior to September 2019, allowed individuals to "imitate our app and upload a large set of phone numbers to see which ones matched Facebook users, [allowing them to] query a set of user profiles and obtain a limited set of information about those users included in their public profiles," according to the company.
While this did not include user credentials, it still allowed for the mass-scraping of profile data.
The social media giant has since updated the contact importer to hinder future scraping efforts, but the information already gathered is now out there.
In terms of data age, 2019 - 2021 is not a long period and this information can be valuable not just to threat actors -- who may use contact details and phone numbers for purposes including phishing and social engineering -- but also unscrupulous marketers in creating profiles for targeted ads, spam, or robocalls.
To see if you have been included in this data breach, you can go over to Have I Been Pwned, a search engine service offered by security expert Troy Hunt.
As data leaks occur, data dumps are added to the engine in order to allow the general public to type in an email address or phone number -- in an international format -- and see if their information has been published online.
Facebook's record leak is the latest set to be added to the engine and you should check both your email and phone number, as only 2.5 million records contain an email address. Therefore, links to the Facebook breach might not appear if you just search your email but not your phone number.
While there is little that can be done once your data is exposed, if you have been involved in the leak, you should be wary of potential phishing scams or fraudulent cold calls.
Conducting a regular and general privacy check on your social media profiles is always worthwhile, and this can include whether or not you allow others to look you up on Facebook through an email address or phone number.
"We are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists," Facebook says. "We're focused on protecting people's data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible."
The Irish Data Protection Commission is attempting to "establish the full facts" surrounding the data leak and noted that the watchdog has "received no proactive communication from Facebook."
"As the price of personal data climbs, breaches of any size -- let alone half a billion users -- should no longer be tolerated," commented Adam Enterkin, Global SVP of Sales at BlackBerry. "Organizations have full responsibility for the data stolen; even seemingly low-stakes data can be used to exploit customers. If you collect it, protect it."
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0