After information from 533 million Facebook users was exposed to hackers, the company has tried to reassure users, saying that the data was leaked years ago and has since been secured.
But experts say the issue is still grave – whether it happened in 2021 or years prior – largely because of the nature of the leaked data.
The dataset, first reported by Business Insider, contained information from 106 countries including phone numbers, Facebook IDs, full names, locations, birthdates and email addresses.
Even if it did not include passwords, the data is significant because those identifiers don’t often change, said Rob Shavell, chief executive officer of DeleteMe, a personal data protection tool.
“Even if the data is old, it’s never really old because it will always be useful for data brokers,” he said. “It helps them correlate related information that is new and dump them into these profiles, which they sell online for as little as 99 cents.”
That the leak dates back to 2019 may actually work to Facebook’s detriment: under some privacy regulations, including Europe’s GDPR, that means the company should have alerted users under privacy-related reporting requirements. Ireland’s Data Protection Commission announced on Tuesday it was investigating the breach to see if it violated any rules.
“The DPC attempted over the weekend to establish the full facts and is continuing to do so,” it said in a statement. “It received no proactive communication from Facebook.”
The data probably changed hands many times, said Ivan Righi, cyberthreat intelligence analyst at the San Francisco cybersecurity firm Digital Shadows. He said it appeared the data had initially been listed at a relatively steep price, limiting the number of hackers who were willing to buy.
“The breach was probably resold multiple times since then until the price lowered enough that a user decided to publicly expose it to generate a small profit and increase reputation,” he said, adding that this behavior was common for hackers. “While the data may be old, it still holds a lot of value to cybercriminals.”
Data leaked from Facebook can be used in combination with existing user data online to hack accounts, including bank and other accounts that require two-factor authentication – texting a confirmation code to a phone number to verify a person’s identity. The leaking of phone numbers can also be problematic amid the meteoric rise of robocalls in recent years.
“Forget about being hacked, it’s just annoying to be constantly getting spam calls,” Shavell said. “The data breach, whether they say it’s old or not, is another way spammers get this information.”
The latest breach adds fuel to the antitrust fight that has been brewing in Washington. Facebook has experienced data security issues in the past, most notably when the political firm Cambridge Analytica accessed information of up to 87 million users without their knowledge.
The new breach also calls attention to the need for additional regulations in the EU, said Varoon Bashyakarla, a data scientist who works as a technical adviser to the Real Facebook Oversight Board – an activist group intended to hold Facebook accountable for content decisions. Bashyakarla said his own data had been exposed in the breach.
“This incident underscores the need for Facebook to respond to European regulators and not merely American ones,” he said. “If there are no consequences for incidents like this one, they will continue, as we’ve observed over the last several years.”
The Electronic Frontier Foundation (EFF), which called the newly revealed breach “horrific”, said Facebook’s dominance in the tech industry directly contributed to hacks like these. There are few options for users who, fed up with privacy breaches, do not want to use the platform – Facebook already owns alternatives including Instagram and WhatsApp.
“Privacy does not come from monopoly,” Cory Doctorow of EFF said. “Facebook’s data breach problems are the inevitable result of monopoly, in particular the knowledge that it can heap endless abuses on its users and retain them.”
Facebook did not immediately respond to request for comment.
Users can check legitimate websites including HaveIBeenPwned to see if their data is included in the leak, or in leaks past.