Business Insider confirmed the veracity of the leaked data by testing some of the email addresses and phone numbers in the set. According to a Facebook spokesperson, the data had been obtained due to a vulnerability the company patched in 2019. Now that the data set has been publicized, anyone with rudimentary data skills can access it for their use. The news outlet attempted to get in touch with the hacking forum member but did not get a response.
Hudson Rock Chief Technology Officer Alon Gal first discovered the leaked data set in January. The executive of the cybercrime intelligence firm expressed concern that the cybercriminals could use the information for nefarious purposes. "A database of that size containing the private information would certainly lead to bad actors taking advantage of the data," he commented. Gal first caught wind of the leaked data when a user in the same forum promoted an automated bot that could provide phone numbers for troves of Facebook users – for a price.
The Hudson Rock CTO said that Facebook could not do much to help users affected by the breach, given that their data is already exposed. However, Gal said that Facebook could remind its users moving forward to be on the lookout for phishing schemes or other fraudulent activities using their data.
"Individuals signing up to a reputable company like Facebook are trusting them with their data, and Facebook [is] supposed to treat the data with utmost respect. Users having their personal information leaked is a huge breach of trust – and should be handled accordingly," Gal remarked. (Related: Facebook 'tramples' on privacy law by illegally tracking internet users without consent.)
While the social media site managed to fix the aforementioned 2019 vulnerability, information extracted during that breach is included in the recent leaked data. The breach enabled unscrupulous actors to scrape millions of phone numbers from Facebook servers, violating the platform's terms of service.
Bad actors managed to exploit the Facebook issue in 2019, resulting in the data set posted in the hacker forum more than a year later. An article published in The Conversation surmised that it was likely acquired through a misuse of legitimate functions in the Facebook system. Such incidents can occur when parties utilize a website's seemingly innocent feature for an unexpected purpose.
Facebook data had been compromised before.
In March 2018, the social media site headed by Mark Zuckerberg issued a statement claiming that a psychology professor at the University of Cambridge named Aleksandr Kogan violated Facebook's platform policies by passing data from an app that was using Facebook login to Cambridge Analytica – a firm that does political, government and military work around the world.
The British consultancy firm obtained data belonging to over 80 million Facebook users, utilizing it for targeted political advertisements.
A TechCrunch report in 2019 said that Facebook employees had raised the alarm bells on Cambridge Analytica as early as September 2015. A Securities and Exchange Commission (SEC) filing noted that the social media company was already aware of concerns raised by staff members assigned to the political advertising unit. Facebook staffers described the British data firm as a "sketchy data modeling company that has penetrated our market deeply."
The SEC filing also noted that Facebook "had no specific policies or procedures in place to assess or analyze" these potential concerns. (Related: "Trust crisis" looms over tech industry as public grows weary of privacy scandals.)
Facebook itself later severed ties with Cambridge Analytica and its parent company Strategic Communication Laboratories. In a March 2018 statement, the social media site clarified that there was no data breach. Instead, it said that people consented to providing their data – but these pieces of information were forwarded to third parties without the users' consent. Facebook also reiterated its commitment to "vigorously enforcing [its] policies to protect people's information."
"We will take whatever steps are required to see that this happens – including legal action if necessary," the social media giant stated.